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Abstract —We investigate the semantic intricacies of condition¬ 
ing, a main feature in probabilistic programming. We provide a 
weakest (liberal) pre-condition (w(l)p) semantics for the elemen¬ 
tary probabilistic programming language pGCL extended with 
conditioning. We prove that quantitative weakest (liberal) pre¬ 
conditions coincide with conditional (liberal) expected rewards in 
Markov chains and show that semantically conditioning is a truly 
conservative extension. We present two program transformations 
which entirely eliminate conditioning from any program and 
prove their correctness using the w(l)p-semantics. Finally, we 
show how the w(l)p-semantics can be used to determine con¬ 
ditional probabilities in a parametric anonymity protocol and 
show that an inductive w(l)p-semantlcs for conditioning in non- 
determinlstic probabilistic programs cannot exist. 

I. Introduction 

Probabilistic programming is en vogue m, El. It is main¬ 
stream in machine learning for describing distribution func¬ 
tions; Bayesian inference is pivotal in their analysis. It is used 
in security for describing both cryptographic constructions 
such as randomized encryption and experiments defining se¬ 
curity notions 0. Probabilistic programs, being an extension 
of familiar notions, render these various fields accessible to 
programming communities. A rich palette of probabilistic 
programming languages exists including Church Q as well 
as modern approaches like probabilistic C 0, Tabular 0 
and R2 0. 

Probabilistic programs are sequential programs having two 
main features: (1) the ability to draw values at random from 
probability distributions, and (2) the ability to condition values 
of variables in a program through observations. The seman¬ 
tics of languages without conditioning is well-understood. 
Kozen 0 considered denotational semantics, whereas Mclver 
and Morgan Q provided a weakest (liberal) precondition 
(W(l)p) semantics; a corresponding operational semantics is 
given by Gretz et al. Qo). Other relevant works include 
probabilistic power-domains im, semantics of constraint 
probabilistic programming languages Ha, and semantics for 
stochastic A-calculi m. 

Conditioning of variables through observations is less well- 
understood and raises various semantic difficulties as we will 
discuss in this paper. Previous work on semantics for programs 
with observe statements 0, m do neither consider the 
possibility of non-termination nor the powerful feature of 
non-determinism. In this paper, we thoroughly study a more 


general setting which accounts for non-termination by means 
of a very simple yet powerful probabilistic programming 
language supporting non-determinism and observations. Let 
us first study a few examples that illustrate the semantic 
intricacies. The sample program snippet Fobs, 

{x := 0} [ 1 / 2 ] {x := 1}; observe x = 1 

assigns zero to the variable x with probability 1/2 while x is 
assigned one with the same likelihood, after which we con¬ 
dition to the outcome x being one. The observe statement 
blocks all runs violating its condition and prevents those runs 
from happening. It differs, e.g., from program annotations 
like (probabilistic) assertions US). The interpretation of the 
program is the expected outcome conditioned on permitted 
runs. For the sample program Fobs, this yields the outcome 
1 ■ 1—there is one feasible run that happens with probability 
one with x being one. Whereas this is rather straightforward, 
a slight variant like Fobsg 

{a; := 0; observe a; = 1} [ 1 / 2 ] {x := 1; observe a: = 1} 


is somewhat more involved, as the entire left branch of the 
probabilistic choice is infeasible. Is this program equivalent to 
the sample program Fobsi ? 

The situation becomes more intricate when considering 
loopy programs that may diverge. Consider the programs Fdiv 
(left) and Fandiv (right): 


X := 1; 

while (a; = 1) { 
a; := 1 

} 


X := 1; 

while (a; = 1) { 

{x := 1} [ 1 / 2 ] {x := 0}; 
observe a: = 1 

} 


Program F^iv diverges and therefore yields as expected out¬ 
come zero. Due to the conditioning on a;=l, Fandiv admits 
just a single—diverging—feasible run but this run almost 
surely never happens. Its conditional expected outcome can 
thus not be measured. It should be noted that programs with 
(probabilistic) assertions must be loop-free to avoid similar 
problems ca. Other approaches insist on the absence of 
diverging loops ifTfill . 

Intricacies also occur when conditioning is used in programs 
that may abort. Consider the program 


{abort} [1/2]{{a; := 0 } [1/2] {x := 1 ); 


{y := 0} [ 1 / 2 ] {y := 1}; observe x=0 V y=0} 

where abort is the faulty aborting program which by defini¬ 
tion does nothing else but diverge. The above program tosses 
a fair coin and depending on the outcome either diverges or 
tosses a fair coin twice. It finally conditions on at least once 
heads (a;=0 or y=0). What is the probability that the outcome 
of the last coin toss was heads? The main issue here is how 
to treat the possibility of abortion. 

Combining conditioning with non-determinism is compli¬ 
cated, tooQ Non-determinism is a powerful means to deal with 
unknown information, as well as to specify abstractions in 
situations where details are unimportant. Let program Pnondet 
be: 

{{a; := 5} □ {x := 2}} [1/4] {x := 2}; 

observe a: > 3 

where with probability 1/4, x is set to either 5 or 2 non- 
deterministically (denoted {a: := 5} □ {x := 2}), while x is 
set to 2 with likelihood 3/4. Resolving the non-deterministic 
choice in favour of setting x to five yields an expectation of 
5 for X , obtained as 5 • 1/4 rescaled over the single feasible 
run of Pnondet- Taking the right branch however induces an 
infeasible run due to the violation of the condition x > 3, 
yielding a non-measurable outcome. 

The above issues—loops, divergence, and non-determi¬ 
nism—indicate that conditioning in probabilistic programs 
is far from trivial. This paper presents a thorough seman¬ 
tic treatment of conditioning in a probabilistic extension of 
Dijkstra’s guarded command language (known as pGCL 1^), 
an elementary though foundational language that includes 
(amongst others) parametric probabilistic choice. We take sev¬ 
eral semantic viewpoints. Reward Markov Decision Processes 
(RMDPs) IITtI are used as the basis for an operational seman¬ 
tics. This semantics is rather simple and elegant while covering 
all aforementioned phenomena. In particular, it discriminates 
the programs Pdiv and Pandiv while it does not discriminate 
Pobsi and Pobss- 

We also provide a weakest pre-condition (wp) semantics a 
lain. This is typically defined inductively over the structure of 
the program. We show that combining both non-determinism 
and conditioning cannot be treated in this manner. Given this 
impossibility result we present a wp-semantics for fully prob¬ 
abilistic programs, i.e., programs without non-determinism. 
To treat possibly non-terminating programs, due to e.g., di¬ 
verging loops or abortion, this is complemented by a weakest 
liberal pre-condition (wip) semantics. The wip-semantics 
yields the weakest pre-expectation—the probabilistic pendant 
of weakest pre-condition—under which program P either 
does not terminate or establishes a post-expectation. It thus 
differs from the wp-semantics in not guaranteeing termination. 
The conditional weakest pre-expectation (cwp) of P with 
respect to post-expectation / is then given by normalizing 

’As stated in 0, “representing and inferring sets of distributions is more 
complicated than dealing with a single distribution, and hence there are several 
technical challenges in adding non-determinism to probabilistic programs”. 


wp[P](/) with respect to wlp[P](l). The latter yields the 
wp under which P either does not terminate or terminates 
while passing all observe statements. This is proven to 
correspond to conditional expected rewards in the RMDP- 
semantics, extending a similar result for pGCL ifTOl . Our 
semantic viewpoints are thus consistent for fully probabilistic 
programs. Besides, we show that conditioning is semantically 
a truly conservative extension. That is to say, our semantics is 
backward compatible with the (usual) pGCL semantics; this 
does not apply to alternative approaches such as R 2 Gl. 

Finally, we show several practical applications of our re¬ 
sults. We present two program transformations which entirely 
eliminate conditioning from any program and prove their 
correctness using the w(l)p-semantics. In addition, we show 
how the w(l)p-semantics can be used to determine condi¬ 
tional probabilities in a simplified version of the parametric 
anonymity protocol Crowds ITSl. 

Summarized, we provide the first operational semantics for 
imperative probabilistic programming languages with condi¬ 
tioning and both probabilistic and non-deterministic choice. 
Furthermore we give a denotational semantics for the fully 
probabilistic case, which in contrast to El, lfT4l . where ev¬ 
ery program is assumed to terminate almost surely, takes 
the probability of non-termination into account. Finally, our 
semantics enables to prove the correctness of several program 
transformations that eliminate observe statements. 

II. Preliminaries 

In this section we present the probabilistic programming 
language used for our approaches and recall the notions of 
expectation transformers and (conditional) expected reward 
over Markov decision processes used to endow the language 
with a formal semantics. 

a) Probabilistic programs and expectation transform¬ 
ers: We adopt the probabilistic guarded command language 
(pGCL) 0 for describing probabilistic programs. pGCL is 
an extension of Dijkstra’s guarded command language (GCL) 
EH with a binary probabilistic choice operator and its syntax 
is given by clause 

V ::= skip | abort \ x '■= E \ P]P \ ite (G) {V} {P} 

I m [p] {V}\{V}n{V}\t,hile{G){P} . 

Here, x belongs to V, the set of program variables; E is an 
arithmetical expression over V, G a Boolean expression over 
V and p a real-valued parameter with domain [0, 1]. Most 
of the pGCL instructions are self-explanatory; we elaborate 
only on the following: {P} [p] {Q} represents a probabilistic 
choice where programs P is executed with probability p and 
program Q with probability 1—p. {P} □ {Q} represents a 
non-deterministic choice between P and Q. 

pGCL programs are given a formal semantics through the 
notion of expectation transformers. Let § be the set of program 
states, where a program state is a variable valuation. Now 
assume that P is a fully probabilistic program, i.e. a program 
without non-deterministic choices. We can see P as a mapping 
from an initial state cr to a distribution over final states |P]| (cr). 
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Given a random variable /:§—>■ R>o, transformer wp[P] 
maps every initial state a to the expected value E|[p|(cr)(/) 
of / with respect to the distribution of final states |P]((t). 
Symbolically, 

wp[^’](/)(cr) = Ejp](^)(/) . 

In particular, if / = xa is the characteristic function of 
some event A, wp[P](/) retrieves the probability that the 
event occurred after the execution of P. (Moreover, if P is a 
deterministic program in GCL, E[p|(ct)(xa) is {0, l}-valued 
and we recover the ordinary notion of weakest pre-condition 
introduced by Dijkstra EH.) 

In contrast to the fully probabilistic case, the execution of 
a non-deterministic program P may lead to multiple—rather 
than a single—distributions of final states. To account for 
these kind of programs, the definition of wp[P] is extended as 
follows: 

= , inf E^,(/) 

At'G[Pl(cr) 

In other words, wp[P](/) represents the tightest lower bound 
that can be guaranteed for the expected value of / (we assume 
that non-deterministic choices are resolved demonicall;^ at¬ 
tempting to minimize the expected value of /). 

In the following, we use the term expectation to refer to a 
random variable mapping program states to real values. The 
expectation transformer wp then transforms a post-expectation 
/ into a pre-expectation wp[P](/) and can be defined in¬ 
ductively, following the rules in Figure |2] (second column), 
Page|7] The transformer wp also admits a liberal variant wip, 
which differs from wp on the way in which non-termination 
is treated. 

Formally, the transformer wp operates on unbounded ex¬ 
pectations in E = § —and wIp operates on bounded 
expectations in E<i = S -A [0, 1]. Here denotes the 
set of non-negative real values with the adjoined oo value. 
In order to guarantee the well-definedness of wp and wIp we 
need to provide E and E<i the structure of a directed-complete 
partial order. Expectations are ordered pointwise, i.e. f 'Q g 
iff /(cr) < g{a) for every state cr € S. The least upper bound 
of directed subsets is also defined pointwise. 

In what follows we use bold fonts for constant expectations, 
e.g. 1 denotes the constant expectation 1. Given an arithmetical 
expression E over program variables we simply write E for 
the expectation that in state a returns (t{E). Given a Boolean 
expression G over program variables we use XG to denote 
the {0, l}-valued expectation that returns 1 if tr |= G and 0 
otherwise. 

b) MDPs and conditional expected rewards: Let V be 
a finite set of parameters. A parametric distribution over a 
countable set 5" is a function p,: S —>■ Zy with l^i^) — 

1, where Zy denotes the set of all polynomial^ over V. 
Distr{S) denotes the set of parametric distributions over S. 

^ Dem onic schedulers induce the most pessimistic expected outcome while 
in also angelic schedulers are considered which guarantee the most 
optimistic outcome. 

^Although parametric distributions are defined as polynomials over the 
parameters, we only use p and 1 — p for p 


Definition II.l (Parametric Discrete-time Reward Markov 
Decision Process). Let AP be a set of atomic propositions. 
A parametric discrete-time reward Markov decision process 
(RMDP) is a tuple = {S, sj, Act, P, L, r) with a count¬ 
able set of states S, a unique initial state sj € S, a finite set of 
actions Act, a transition probability function P: S x Act -A 
Distr{S) with V(s, a) G S x Act. 

a labeling function L: S -A 2^^, and a reward function 
r: S' —M>o- 

A path of is a finite or infinite sequence tt = sgaoSiQ^i ■ • ■ 
such that Si G S, ai G Act, sq = sj, and P{si, ai){s ^+l) >0 
for all i > 0 . A finite path is denoted hy tt = sgcto ■ ■ ■ Sn for 
n S N with last{Tr) = Sn and \'k\ = n. The i-th state Si of tt is 
denoted 7r(i). The set of all paths of 91 is denoted by Paths^ 
and sets of infinite or finite paths by Paths^y or Paths^„, 
respectively. Paths^(s) is the set of paths starting in s and 
Paths^(s, s') is the set of all finite paths starting in s and 
ending in s'. This is also lifted to sets of states. If clear from 
the context we omit the superscript 91. 

An MDP operates by a non-deterministic choice of an 
action a G Act that is enabled at state s and a subsequent 
probabilistic determination of a successor state according to 
P{s, a). We denote the set of actions that are enabled at s by 
Act{s) and assume that Act{s) ^ 0 for each state s. A state 
s with |Acf(s)| = 1 is called/wWy probabilistic, and in this 
case we use P{s, s') as a shorthand for P{s, a) (s') where 
Act{s) = {a}. Lor resolving the non-deterministic choices, 
so-called schedulers are used. In our setting, deterministic 
schedulers suffice, which are partial functions 6: Paths^„ ~A 
Act with ©(tt) G Act {last {tt)). A deterministic scheduler is 
called memoryless if the choice depends only on the current 
state, yielding a function &: S -A Act. The class of all 
(deterministic) schedulers for 91 is denoted by Sched^. 

A parametric discrete-time reward Markov chain (RMC) is 
an RMDP with only fully probabilistic states. Lor an RMC 
we use the notation P = {S, sj, P, L, r) where P: S 
Distr{S) is called a transition probability matrix. Lor RMDP 
91, the fully probabilistic system ®9l induced by a scheduler 
© G Sched^ is an induced RMC. A probability measure 
is defined on the induced RMCs. The measure for RMC P 
is given by Pr’'^: Paths^„ -)• [0, 1] C R with Pr’'^(7f) = 
n"Jo^ P{si, Si+i), for TT = So ■ • ■ Sn- The probability measure 
can be lifted to sets of (infinite) paths using a cylinder set 
construction, see m Ch. 10]. The cumulated reward of a 
finite path tt = sq ... s„ is given by r(7r) = 
the reward is “earned” when leaving the state. 

We consider reachability properties of the form {> T for a 
set of target states T={sGS\Tg L{s)} where T is 
overloaded to be a set of states and a label in AP. The set 
(}T = {tt S Paths(s 7 ,T) | VO < i < |7r|. 7r(i) ^ T} shall 
be prefix-free and contain all paths of P that visit a target 
state. Analogously, the set -lOT = {tt G Paths^(s/) | Vi > 
0. 7r(i) ^ T} contains all paths that never reach a state in T. 
Let us first consider reward objectives for fully probabilistic 
models, i.e., RMCs. The expected reward for a finite set of 
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paths ()T G Paths^„ is 

ExpRew^(OT) = ^ Pr’'^(7r) • r(^) . 

Ti-eOr 

For a reward bounded by one, the notion of the liberal 
expected reward also takes the mere probability of not reaching 
the target states into account: 

LExpRew^(Or) = ExpRew^(0r) + Pr^(-.0T) 

A liberal expected reward will later represent the probability 
of either establishing some condition or not terminating. 

To explicitly exclude the probability of paths that reach 
“undesired” states, we let f/ = {s G S' | i G -^(s)} define 
the conditional expected reward for the condition -lO U b>0 

CExpRew^(OThOt/) ^ ExpRew^ (0 T n ^0 f/) 

^ ^ Pr’^(-0C7) 

For details about conditional probabilities and expected re¬ 
wards, we refer to Il22l . Conditional liberal expected rewards 
are defined by 

CLExpRew'(«Th«C/) 4 LExpRewJ(Orn^OC/) 

' Pr“(-0[/) 

Reward objectives for RMDPs are now dehned using a de¬ 
monic scheduler © G SchedF^ minimizing probabilities and 
expected rewards for the induced RMC ®7?.. For the expected 
reward this yields 

ExpRew^(OT) = inf ExpRew'"'^ (OT) . 

&GSched^ 

The scheduler for conditional expected reward properties min¬ 
imizes the value of the quotient: 

CExpRew®^ (OrhO U) 

4 inf CExpRew‘^’^(0Th0C/) 

&GSched^ 

^ ExpRew®’^(0Tn-0C/) 

= ^ - 

&^Sched^ Pr '^i^OU) 

The liberal reward notions for RMDPS are analogous. Regard¬ 
ing the quotient minimization we assume < 0” as we see 
2—^being undefined—to be less favorable than 0. 

III. Conditional pGCL 

As mentioned in Section HU pGCL programs can be consid¬ 
ered as distribution transformers. Inspired by m, we extend 
pGCL with observe statements to obtain conditional pGCL 
(cpGCL, for short). This is done by extending the syntax 
of pGCL (p. lU with observe G where G is a Boolean 
expression over the program variables. When a program’s ex¬ 
ecution reaches observe G with a current variable valuation 
(T ^ G, further execution of the program is blocked as with 
an assert statement ll23l . In contrast to assert, however, 

^Note that strictly formal one would have to define the intersection of sets 
of finite and possibly infinite paths by means of a cylinder set construction 
considering all infinite extensions of finite paths. 


the observe statements do not only block further execution 
but condition resulting distributions on the program’s state to 
only those executions satisfying the observations. Consider 
two small example programs: 

{x := 0} [p] {x := 1}; {x := 0} [p] {x := 1}; 

{y ■= 0} [q] {y ■= -1} {y ■= 0} [g] {y := -1}; 

observe x y = 0 

The left program establishes that the probability of x=0 
is p, whereas for the right program this probability is 
pq+(i-p)(i-q) ■ The left program admits all (four) runs, two of 
which satisfy a:=0. Due to the observe statement requiring 
x-\-y=0, the right program, however, admits only two runs 
(x=0,y=0 and a;=l,y=—1), satisfying a;=0. 

In Section |V] we will focus on the subclass of fully proba¬ 
bilistic programs in cpGCL, which we denote cpGCL . 

IV. Operational Semantics eor cpGCL 

This section presents an operational semantics for cpGCL 
using RMDPs as underlying model inspired by Col. Schemat¬ 
ically, the operational RMDP of a cpGCL program shall have 
the following structure: 



Terminating runs eventually end up in the (sin^) state; other 
runs are diverging (never reach {sinUi)). A program terminates 
either successfully, i.e. a run passes a •/-labelled state, or 
terminates due to a false observation, i.e. a run passes 
Squiggly arrows indicate reaching certain states via possibly 
multiple paths and states; the clouds indicate that there might 
be several states of the particular kind. The /-labelled states 
are the only ones with positive reward. Note that the sets of 
paths that eventually reach ), eventually reach •/, or diverge, 
are pairwise disjoint. 

Definition IV.l (Operational cpGCL semantics). The oper¬ 
ational semantics of P G cpGCL for cr G § and / G E is 
the RMDP mllPi = {S, {P, a). Act, V, L, r), such that S 
is the smallest set of states with (^) G S, {sinfCj G S, and 
(<5, t), {I, r) G S' for Q G pGCL and r G §. {P, cr) G S is 
the initial state. Act = {left, right} is the set of actions. V is 
formed according to the rules given in Figure [T] The labelling 
and the reward function are given by: 


{/}, 

if s = (4,, r), for some r G S 

{sinli}, 

if s = (sinlf) 

{i}, 

if s = (i) 

0, 

otherwise. 
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(terminal) 


(assign) • 


(i. ct) 


{sinQ 


(skip) 


(x := £^, (t) 

(concatenate) 


(4., a-lx -I- [El„]) 


(skip, cr) -> (4,, cr) 

(observe) 


(abort) 

cr j^G 


(abort, (t) 


(abort, (t) 


(undesired) 


U) 


a 


{P, <y) 


(observe G, < 7 ) —> (4-, cr) 

(i) {P, <T> —s- 


(if) 


(i; Q, a) —s- (Q, a) 
<T h G 


{P\Q, <y) 


(i> {P-,Q, 

<tV-G 


(ite(G) {P}{Q}. ,t) 

(while) ■ 


-4 (p, a) 
hG 


(lte(G){P}{Q}, a) 


{Q, <^) 
<tV-G 


(while [G) {P}, cr) 

(prob. choice) 


{{P} [p] {Q}. <^) 

(non-det. choice) 


(P; while (G) {P}, cr) (while (G) {P}, cr) 

-, where i^((P, o’)) := p, i^((Q, o’)) := 1 — p 


(observe G, O’) —> (^) 

, where VP'. i^i{P'; Q, <7')) M((P^ o’')) 


(4-, < y ) 


({p}n{Q}, <t) 


(p, ^) 


({p}n{Q}, ^) 


->■ {Q, O’) 


{sinfC} 


Fig. 1. Rules for the construction of the operational RMDPs. If not stated otherwise, {s) — >{t) is a shorthand for ( 5 )—€ Distr{S) with /i((f)) = 1. A 
terminal state of the form (4-, cr) indicates successful termination. Terminal states and (^) go to the (sinl^) state, skip without context terminates successfully, 
abort self-loops, i.e. diverges, x := E alters the variable valuation according to the assignment then terminates successfully. For the concatenation, (4-; Q, c) 
indicates successful termination of the first program, so the execution continues with (Q, a). If for P; Q the execution of P leads to (^), P; Q does so, too. 
Otherwise, for (P, a) — Yfi, p is lifted such that Q is concatenated to the support of fi. If for the conditional choice cr |= G holds, P is executed, otherwise 
Q. The case for while is similar. For the probabilistic choice, a distribution u is created according to p. For {P} □ we call P the left choice and Q 
the right choice for actions left, right G Act. For the observe statement, if cr |= G observe acts like skip. Otherwise, the execution leads directly to 
(^) indicating a violation of the observe statement. 


r(s) = 


/(r), if s = ( 4 ,, r), for some r G § 
0, otherwise 


{P, ^i) 




where a state of the form (J,, t) denotes a terminal state in 
which no program is left to be executed. 

To determine the conditional expected outcome of program 
P given that all observations are true, we need to determine 
the expected reward to reach {sinlf) from the initial state 
conditioned on not reaching ) under a demonic scheduler. 
For this is given by CExpRew^"^^^ | “"Oi )■ 

Recall for the condition -lO !i that all paths not eventually 
reaching (.f) either diverge (thus collect reward 0 ) or pass by 
a /-labelled state and eventually reach {sinf). This gives us: 

CExpRew^'t^I 

. „ ExpRew -lOi) 

= mi - e—f - 

e^Sched^ii^^ Pr 

. ExpRew {^sinfC) 

= ml -g— - 

This is analogous for CLExpRew^''^^^ {()sink^ \ -lOi). 
Example IV.l. Consider the program P G cpGCL: 

{{x := 5} □ {x := 2}} [q] {a; := 2}; 
observer > 3 

where with parametrized probability q a non-deterministic 
choice between x being assigned 2 or 5 is executed, and 
with probability 1 — g, a: is directly assigned 2. Let for 
readability Pi = {x := 5} □ {x := 2}, P 2 = x := 2, 
P 3 = observe a; > 3, and P 4 = x := 5. The operational 
RMDP |P] for an arbitrary initial variable valuation < 7 / 
and post-expectation x is depicted below. 


*1^ (PP Pp ^ 1 ) -► {Pp Pp 

i i 

4 ; Pi , <7/4/5]) —>- (P3, 0-/4/5]) (4.; Pi , <t/4/2]) 

i i 

5 (4,, (t/4/5]) { Pi , <7/4/2]) 

\ 0 / 

{sint) <- (i) 

The only state with positive reward is s' := (J,, cr/[a;/5]) and 


its reward is indicated by number 5. Assume first a scheduler 
choosing action left in state (Pi; P 3 , 177). In the induced RMC 
the only path accumulating positive reward is the path tt going 
from (P, ai) via s' to {sinlf) with r( 7 r) = 5 and Pr( 7 r) = q. 
This gives an expected reward of 5 • g. The overall probability 
of not reaching (i) is also g. The conditional expected reward 
of eventually reaching {sinf) given that (^) is not reached 
is hence -^ = 5. Assume now the minimizing scheduler 
choosing right at state (Pi; P 3 , aj). In this case there is 
no path having positive accumulated reward in the induced 
RMC, yielding an expected reward of 0. The probability of 
not reaching ) is also 0. The conditional expected reward in 
this case is undefined (o/o) thus the right branch is preferred 
over the left branch. 

In general, the operational RMDP is not finite, even if the 
program terminates almost-surely (i.e. with probability 1 ). 

V. Denotational Semantics for cpGCL^ 

This section presents an expectation transformer semantics 
for the fully probabilistic fragment cpGCL^ of cpGCL. We 
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formally relate this to the wp/wip-semantics of pGCL as well 
as to the operational semantics from the previous section. 


A. Conditional Expectation Transformers 

An expectation transformer semantics for the fully proba¬ 
bilistic fragment of cpGCL is defined using the operators: 

cwp[ • ]: E X E<i —E X E<i 
cwlp[ • ]: E<i X E<i —>■ E<i x E<i 


These functions can intuitively be viewed as the counterpart 
of wp and wip respectively, as shortly shown. The weakest 
conditional pre-expectation cwp[P]f f) of P € cpGCL^ with 
respect to post-expectation / is now given as 


cwp[P](/) ^ 


CWPi[P](/,l) 
CWP2[P](/,1) ’ 


where cwpi[P]{f, g) (resp. cwp 2 [P](/, 5)) denotes the first 
(resp. second) component of cwp[P]{f, g) and 1 is the con¬ 
stant expectation one. The weakest liberal conditional pre¬ 
expectation cwl p[P]f f) is defined analogously. In words, 
cwp[P] (/)(tT) represents the expected value of / with respect 
to the distribution of final states obtained from executing P in 
state a, given that all observe statements occurring along 
the runs of P were satisfied. The quotient defining cwp[P](/) 
is interpreted is the same way as the quotient 


Pr(A n B) 
MB) 


encoding the conditional probability Pr(A|P). However, here 
we measure the expected value of random variable The 
denominator cwp 2 [P](/, 1 )(ct) measures the probability that 
P satisfies all the observations (occurring along valid runs) 
from the initial state a. If cwp 2 [P](/, 1)((t) = 0, program P 
is infeasible from state a and in this case cwp[P](/)(s) is not 
well-defined (due to the division by zero). This corresponds 
to the conditional probability Pr(A|P) being not well-defined 
when Pr(P) = 0. 

The operators cwp and cwlp are defined inductively on the 
program structure, see Figure |2] (last column). Let us briefly 
explain this. cwp[skip] behaves as the identity since skip 
has no effect on the program state. cwp[abort] maps any pair 
of post-expectations to the pair of constant pre-expectations 
(0,1). Assignments induce a substitution on expectations, 
i.e. cwp[a: := E] maps (/,p) to pre-expectation {f[x/E], 
g[x/E]), where h[x/E]{a) = h{a[x/E]) and a[x/E] de¬ 
notes the usual variable update on states. cwp[Pi;P 2 ] is 
obtained as the functional composition (denoted o) of cwp [Pi] 
and cwp[P 2 ]. cwp[observe G] restricts post-expectations to 
those states that satisfy G; states that do not satisfy G 
are mapped to 0. cwp[ite (G) {Pi} {P 2 }] behaves either 
as cwp[Pi] or cwp[P 2 ] according to the evaluation of G. 
cwp[{Pi} [p] {P 2 }] is obtained as a convex combination of 


^In fact, cwp[P](/)((7) corresponds to the notion of conditional expected 
value or in simpler terms, the expected value over a conditional distribution. 


cwp[Pi] and cwp[P 2 ], weighted according to p. cwp[while 
(G) jP'}] is defined using standard fixed point techniques]^ 
The cwlp transformer follows the same rules as cwp, except 
for the abort and while statements. cwlp[abort] takes any 
post-expectation to pre-expectation ( 1 , 1 ) and cwlp[while 
(G) {P}] is defined as a greatest fixed point rather than a 
least fixed point. 

Example V.l. Consider the program P' 

1 [x := 0 } [ 1 / 2 ] {x ■- 1 }; 

2 ite {x = 1 ) {{y := 0 } [ 1 / 2 ] {y := 2 }} 

{{y -.= 0} [ 4 / 5 ] {y := 3}}; 

3 observe y = 0 

Assume we want to compute the conditional expected value 
of the expression lO-fx given that the observation y=0 is 
passed. This expected value is given by cwp[P'](10-|-a:) and 
the computation of cwp[P'](10-|-a:, 1) goes as follows: 

cwp[P'](10-|-a;, 1) 

= cwp[P{_ 2 ](cwp[observe y = 0](10-|-a;, 1)) 

= cwp[Pi'. 2 ](/,p) where {f,g) = Xy=o ■ (lO+x, 1) 

= cwp[P{.J(cwp[ite (a;=l) {...}{...}](/, 5 )) 

= cwp[Pi'.i](xa;=i ■ {h, i) + Xx^i ■ {h\ i')) where 
(h,i) =cwp[{y:=0} [ 1 / 2 ] {y ■■=2}](f, g) 

= i • (10 -I- a:, 1) , and 
= cwp[{y:=0} [ 4 / 5 ] {y-=3}J(f,g) 

= l-(10 + x, 1 ) 

= i-|-(10 + 0, l) + i-i-(10 + l, 1) 

= (4, l) + (f, i) = (f-i) 

Then cwp[P'](10-|-a;) = and the conditional expected 
value of lO-fa: is approximately 10.38. 

In the rest of this section we investigate some properties of 
the expectation transformer semantics of cpGCL . As eve^ 
fully probabilistic pGCL program is contained in cpGCL^, 
we first study the relation of the cw(l)p- to the W(l)p- 
semantics of pGCL. To that end, we extend the weakest 
(liberal) pre-expectation operator to cpGCL as follows: 

wp[observe G](/) = XG'f wlp[observe G](/) = XG'f ■ 

To relate the cw(l)p- and w(l)p-semantics we heavily rely 
on the following result which says that cwp (resp. cwlp) can 
be decoupled as the product wp x wIp (resp. wIp x wIp). 

Theorem V.l (Decoupling of cw(l)p). For P € cpGCL^, 

/ e E, and /', g S E<i.- 

cwp[P](/, g) = (wp[P](/), wlp[P](p)) 
cwlp[P](/', g) = (wlp[P](/), wlp[P](p)) 

^We define cwp [while (G) {P}] by the least fixed point w.r.t. the order 
(C, □) in E X E<i. This way we encode the greatest fixed point in the second 
component w.r.t. the order □ over E<i as the least fixed point w.r.t. the dual 
order □. 
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p 

wp[-P](/) 

cwp[P](/, g) 

skip 

/ 

if, 9) 

abort 

0 

(0, 1) 

X '■= E 

fi^/E] 

if[x/E], g[x/E]) 

observe G 

XG • / 

XG ■ if, 9) 

Pp P2 

(wp[Pi] 0 wp[P2])(/) 

(cwp[Pi] ocwp[P2])(/,5) 

ite(G){Pi}{P 2 } 

XG • Wp[Pi](/) + X-G ■ WP[-f 2 ](/) 

XG ■ cwp[Pi](/, g) + x^G ■ cwp[P2](/, g) 

{Pi} [P] {P2} 

p- Wp[Pi](/) + {l-p)- Wp[P 2 ](/) 

p-cwp[Pi](/, p) -f (1 -p) • cwp[P2](/, g) 

{Pi}a{P 2 } 

Act. min{wp[Pi](/)(cr), wp[P2](/)(cr)} 

— not defined — 

while (G) jP^I 

M /• (xG ■ wp[P'] (/) -f x-G • /) 

/^E,3(/> 5 )* (xG ■ cwp[P'](/, g) + X^G ■ if, 9)) 

P 

wlp[-P](/) 

cwlp[P](/, g) 


abort 1 (1, 1) 

while (G){P'} vf. (xG • wp[P'](/)+ X-G •/) i^e,e(/: 5)* (xG • cwp[P'](/, g) + x^G • (/, £/)) 


Fig. 2. Definitions for the wp/wlp and cwp/cwlp operators. The wip (cwlp) operator differs from wp (Cwp) only for abort and the while-^loop. A 
scalar multiplication a • (/, g) is meant componentwise yielding {a • f, a • g). Likewise an addition (/, g) + (/', g') is also meant componentwise yielding 
(/ + /', 9 + 9')- 


Proof By induction on the program structure. See AppendixlBl cpGCL^. By Theorem IV. II the transformers cwl p[P] and 
for details. □ cwl p[P] can be recast as: 


Let pGCL denote the fully probabilistic fragment of pGCL. 
We show that the cwp-semantics is a conservative extension 
of the wp-semantics for pGCL . The same applies to the 
weakest liberal pre-expectation semantics. 

Theorem V.2 (Compatibility with the w(l)p-semantics). For 
P G pGCL®, / G E, and g G E<i.- 

wp[^] if) = cwp[P] if) and wlp[P] {g) = c^p[P] (g) 

Proof. By Theorem lV.il and the fact that cwl p[P](l) = 1 (see 
Lemma IV3l l. □ 

We now investigate some elementary properties of cwp and 
cwl p such as monotonicity and linearity. 

Lemma V.3 (Elementary properties of cwp and cwl p). For 
every P G cpGCL with at least one feasible execution 
(from every initial state), post-expectations /, g G E and non¬ 
negative real constants a, j3: 

i) / E 5 implies cwp[P](/) C cwp[P](g) and likewise for 
cwl p. 

ii) cwp[P] {a- f P p- g) = a- cwp[P] (/) + /3 ■ cwp[P] (g). 
Hi) cwp[P](0) = 0 and cwl p[P](l) = 1. 


wp[/^](/) 

wlp[P](l) 


and 


^ wlp[P](/) 

^ wlp[P](l) ’ 


respectively. Recall that wlp[P](l) yields the weakest pre¬ 
expectation under which P either does not terminate or 
does terminate while passing all observe-statements. An 
alternative is to normalize using wp in the denominator instead 
of wIp, yielding: 


wp[P](/) 

wp[P](l) 


and 


wlp[P](/) 

wp[P](l) 


The transformer on the right is not meaningful, as the de¬ 
nominator wp[P](1)((t) may be smaller than the numerator 
wlp[P](/)(cr) for some state cr G S. This would lead to 
probabilities exceeding one. The transformer on the left nor¬ 
malizes w.r.t. the terminating executions. This interpretation 
corresponds to the semantics of the probabilistic programming 
language R2 Q, Gl and is only meaningful if programs 
terminate almost surely (i.e. with probability one). 

A noteworthy consequence of adopting this semantics is that 
observe G is equivalent to while (-iG) {skip} iflTll . see the 
discussion in Section IVll 

Let us briefly compare the four alternatives. To that end 
consider the program P below 


Proof Using Theorem IV. 1 1 one can show that the transform¬ 
ers cwp /cwl p inherit these properties from the transformers 
wp/wlp. For details we refer to Appendix iDl □ 


(abort) [ 1 / 2 ]{{a; := 0} [ 1 / 2 ] {x := 1); 

{y ■= 0 } Vh] {y ■= 1 }; observe a; = 0 V y = O} 


We conclude this section by discussing alternative approaches 
for providing an expectation transformer semantics for P G 
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P tosses a fair coin and according to the outcome either 
diverges or tosses a fair coin twice and observes at least 
once heads (j/=0 V a;=0). We measure the probability that 










the outcome of the last coin toss was heads according to each 
transformer; 


wp[-P](Xh=o) _ 2 wlp[P](x^^o) 6 

wlp[P](l) 7 wlp[P](l) 7 


wp[P](Xa=o) ^ 2 wlp[P](xy^o) 

wp[P](l) 3 wp[P](l) 


As mentioned before, the transformer / i—>■ is 

not significant as it yields a “probability” exceeding one. 
Note that our cwp-semantics yields a probability of y=0 on 
termination—while passing all observe-statements—of 
As shown before, this is a conservative and natural extension 
of the wp-semantics. This does not apply to the R2-semantics, 
as this would require an adaptation of rules for abort and 
while. 


B. Correspondence Theorem 

We now investigate the connection between the operational 
semantics of Section |IV] (for fully probabilistic programs) and 
the CWp-semantics. We start with some auxiliary results. The 
first result establishes a relation between (liberal) expected 
rewards and weakest (liberal) pre-expectations. 

Lemma V.4. For P € cpGCL^, / G E, p € E<i, and a € S." 

ExpRew^^'I^l (OisinU)) = wp[P](/)(a) (i) 

LExpRew^'^^^^ (O(Att^)) = wlp[P](5)(cr) (ii) 

Proof. By induction on P, see Appendix |E] and |F] □ 

The next result establishes that the probability to never reach 
a ) in the RMC of program P coincides with the weakest 
liberal pre-expectation of P w.r.t. post-expectation 1 : 

Lemma V.5. For P G cpGCL^, g G E<i, and a G S.' 

Pr^-'l'^l(-'Oi) = wlp[P](l)(cr) 

Proof. See Appendix iGl □ 

We now have all prerequisites in order to present the main 
result of this section; the correspondence between the ^^ra- 
tional and expectation transformer semantics of cpGCL^ pro¬ 
grams. It turns out that the weakest (liberal) pre-expectation 
cwp[P](/)(tT) (respectively cwl p[P]( f)(a)) coincides with the 
conditional (liberal) expected reward in the RMC 72.^|P| of 
terminating while never violating an ob serve-statement, i.e., 
avoiding the ) states. 

IS 

Theorem V.6 (Correspondence theorem). For P G cpGCL , 
/ G E, p G E<i and ct G §, 

CExpRew^"^^^^ I “'C’i) = cvjd[P]( f)(a) 

CLExpRew^"^'^^ I “'Oi) = cwl p[P]fq)fg) . 

Proof. The proof makes use of Lemmas IV.41IV.51 and Theo¬ 
rem IV. II For details see Appendix |H1 □ 

Theorem IV.6I extends a previous result iTfOl that established a 
connection between an operational and the wp/wlp semantics 
for pGCL programs to the fully probabilistic fragment of 
cpGCL. 


VI. Applications 

In this section we study approaches that make use of our 
semantics in order to analyze fully probabilistic programs with 
observations. We first present a program transformation based 
on hoisting observe statements in a way that probabilities 
of conditions are extracted, allowing for a subsequent analysis 
on an observation-free program. Furthermore, we discuss how 
observations can be replaced by loops and vice versa. Finally, 
we use a well-known case study to demonstrate the direct 
applicability of our CWp-semantics. 

A. Observation Hoisting 

In what follows we give a semantics-preserving transfor¬ 
mation for removing observations from cpGCL^ programs. 
Intuitively, the program transformation “hoists” the observe 
statements while updating the probabilities in case of prob¬ 
abilistic choices. Given P G cpGCk'^, the transformation 
delivers a semantically equivalent ob serve-free program 
P G pGCk'^ and—as a side product — an expectation h G E<i 
that captures the probability of the original program to es¬ 
tablish all observe statements. For intuition, reconsider the 
program from Example IV. II The transformation yields the 
program 

{x := 0} [8/13] {a; := 1}; 

ite {x = 1) {{y := 0} [1] {y := 2}} 

{{y ;= 0} [1] {y := 3}} 

and expectation (i = ^. By eliminating dead code in both 
probabilistic choices and coalescing the branches in the con¬ 
ditional, we can simplify the program to; 


{x ■.= 0} [8/13] {x ;= 1 }; 2/ ;= 0 


As a sanity check note that the expected value of 10-fa; in this 
program is equal to 10 • ^ -f 11 ■ ^ = which agrees with 
the result obtained in Example IVTI by analyzing the original 
program. Eormally, the program transformation is given by a 
function 

r ; cpGCL^ X E<1 ^ cpGCL® x E<i . 

To apply the transformation to a program P we need to 
determine T{P,1), which gives the semantically equivalent 
program P and the expectation h. 

The transformation is defined in Eigure [3 and works by 
inductively computing the weakest pre-expectation that guar¬ 
antees the establishment of all observe statements and 
updating the probability parameter of probabilistic choices 
so that the pre-expectations of their branches are established 
in accordance with the original probability parameter. The 
computation of these pre-expectations is performed following 
the same rules as the wip operator. The correctness of the 
transformation is established by the following Theorem, which 
states that a program and its transformed version share the 
same terminating and non-terminating behavior. 
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Theorem VI.l (Program Transformation Correctness). Let 
P £ cpGCL admit at least one feasible run for every initial 
state and 7^(P, 1) = {P, h). Then for any / £ E and g £ E<i, 

wp[-P](/) = cwp[P](/) and wlp[P](g) = cw^p[P](g). 

Proof See Appendix |T] □ 

A similar program transformation has been given in Q. 
Whereas they use random assignments to introduce random¬ 
ization in their programming model, we use probabilistic 
choices. Consequently, they can hoist observe statements 
only until the occurrence of a random assignment, while we 
are able to hoist observe statements through probabilistic 
choices and completely remove them from programs. Another 
difference is that their semantics only accounts for terminating 
program behaviors and thus can guarantee the correctness of 
the program transformation for terminating behaviors only. 
Our semantics is more expressive and enables establishing the 
correctness of the program transformation for non-terminating 
program behavior, too. 

B. Replacing Observations by Loops 

For semantics that normalize with respect to the terminating 
behavior of programs, observe statements can readily be 
replaced by a loop El, HI. In our setting a more intricate 
transformation is required to eliminate observations from 
programs. Briefly stated, the idea is to restart a violating 
run from the initial state until it satisfies all encountered 
observations. To achieve this we consider a fresh variable 
rerun and transform a given program P £ cpGCL into a 
new program P' as described below: 

observe G ite (-iG) {rerMn ;= true} {skip} 

abort —> ite (-rerMn) {abort} {skip} 

while (G) {.. .} —> while (G A-rerMn) {...} 

For conditional and probabilistic choice, we apply the above 
rules recursively to the subprograms. 

The aim of the transformation is twofold. First, the program 
P' flags the violation of an observe statement through the 
variable rerun. If a violation occurs, rerun is set to true 
while in contrast to the original program we continue the 
program execution. As a side effect, we may introduce some 
subsequent diverging behavior which would not be present in 
the original program (since the execution would have already 
been blocked). The second aim of the transformation is to 
avoid this possible diverging-behavior. This is achieved by 
blocking while-loops and abort statements once rerun is 
set to true. 

Now we can get rid of the observations in P by repeatedly 
executing P' from the same initial state till rerun is set to 
false (which would intuitively correspond to P passing all its 
observations). 

This is implemented by program P" below: 

Si,. .., s„ := Xi,..., Xn] rerun true; 


while(rerMn) { xi,... ,Xn '■= Si,..., Sn] P' } 

Here, si,...,s„ are fresh variables and xi,...,Xre are all 
program variables of P. The first assignment stores the initial 
state in the variables Si and the first line of the loop body, 
ensures that the loop always starts with the same (initial) 
values. 

Theorem VI.2. Let programs P and P” be as above. Then 
cwp[P](/) = wp[P"](/) . 

Proof. See Appendix |I] □ 

Example VI.l. Consider the following cpGCL program: 

{x := 0} [p] {x := 1}; {y := 0} [p] {y := 1} 
observe x y, 

We apply the program transformation to it and obtain: 

Si, S 2 ■= X, y, rerun := true; 
while(rerMn){ 

x,y := Si,S 2 ] rerun := false; 

{x := 0 } [p] {x := 1 }; 

{y '■= 0 } [p] {y ■= 1 }; 

if(x = y){ rerun := true} 

} 

This program is simplified by a data flow analysis: The vari¬ 
ables Si and S 2 are irrelevant because x and y are overwritten 
in every iteration. Furthermore, there is only one observation 
so that its predicate can be pushed directly into the loop’s 
guard. Then the initial values of x and y may be arbitrary 
but they must be equal to make sure the loop is entered. This 
gives the final result 

x,y := 0 , 0 ; 
while(x = y){ 

{x := 0 } [p] {x := 1 }; {y := 0 } [p] {y := 1 } 

} 

This program is a simple algorithm that repeatedly uses a 
biased coin to simulate an unbiased coin flip. A proof that x is 
indeed distributed uniformly over { 0 , 1 } has been previously 
shown e.g. in ESi . 

Theorem lVI.2l shows how to define and effectively calculate 
the conditional expectation using a straightforward program 
transformation and the well established notion of wp. However 
in practice it will often be infeasible to calculate the fixed point 
of the outer loop or to find a suitable loop invariant - even 
though it exists. 

C. Replacing Loops by Observations 

In this section we provide an overview on how the afore¬ 
mentioned result can be “applied backwards” in order to 
replace a loop by an observe statement. This is useful as 
it is easier to analyze a loop-free program with observations 
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r(skip,/) 

T(abort,/) 
nx := EJ) 
T(observe G, /) 
r(ite(G){p}{g},/) 

n{p} [p] {Q}j) 

r(while(G){P},/) 

np-,Q,f) 


(skip,/) 

(abort, 1) 

{x ■■= EJ[E/x]) 

(skip,XG • /) 

(ite(G){P'}{Q'},XG-/p + X^G-/Q) 
where (P', /p) = r(P, /), (Q', /q) = r(Q, /) 

i { P '}[ p '] W'},p-/p + (i-p)-/q) 

where (P', /p) = T{P, /), (Q', /q) = T{Q, /), and p' = 

(while (G){P'},/') 

where f = uX. (xg ' (7 r2 o T)(P, X) + x^g ' /) ,and (P',_) = T{PJ') 
(P'; Q', n where (Q', /') = r(Q, /), (P', /") = r(P, /') 


Fig. 3. Program transformation for eliminating observe statements in cpGCL®. 


than a program with loops for which fixed points need to be 
determined. 

The transformation presented in Section IVI-BI yields pro¬ 
grams of a certain form; In every loop iteration the variable 
values are initialized independently from their values after 
the previous iteration. Hence the loop iterations generate a 
sequence of program variable valuations that are independent 
and identically distributed (iid loop), cf. Example I VI. 1 1 where 
no “data flow” between iterations of the loop occurs. 

In general, if loop = while(G){P} is an iid loop we can 
obtain a program Q = P; observe -iG with 

wp[loop](/) = cwp[Q](/) 

for any expectation / S E. To see this, apply Theorem IV1.2I 
to program Q. Let the resulting program be loop’. As in 
Example lVI.il note that there is only one observe statement 
at the end of loop’ and furthermore there is no data flow 
between iterations of loop’ . Hence by the same simplification 
steps we arrive at the desired program loop. 

D. The Crowds Protocol 

To demonstrate the applicability of the cwp-semantics to 
a practical example, consider the Crowds-protocol ifT^ . A 
set of nodes forms a fully connected network called the 
crowd. Crowd members would like to exchange messages 
with a server without revealing their identity to the server. 
To achieve this, a node initiates communication by sending its 
message to a randomly chosen crowd member, possibly itself. 
Upon receiving a message a node probabilistically decides to 
either/orwarc/ the message once again to a randomly chosen 
node in the network or to relay it to the server directly. 
A commonly studied attack scenario is that some malicious 
nodes called collaborators join the crowd and participate in the 
protocol with the aim to reveal the identity of the sender. The 
following cpGCL-program P models this protocol where p is 
the forward probability and c is the fraction of collaborating 
nodes in the crowd. The initialization corresponds to the 
communication initiation. 

Init : {intercepted := 1 } [c] [intercepted := 0 }; 


delivered := 0 ; counter := 1 
loop : vhile{delivered = 0) { 

[counter := counter + 1 ; 
{intercepted := 1 } [c] {skip}} 
[P] 

[delivered := 1 } 

I; 

observe(coM7ifer < k) 


Our goal is to determine the probability of a message not 
being intercepted by a collaborator. We condition this by the 
observation that a message is forwarded at most k times. 

Note that the operational semantics of P produce an infinite 
parametric RMC since the value of k is fixed but arbitrary. 
Using Theorem lV.il we express the probability that a message 
is not intercepted given that it was rerouted no more than k 
times by 


wlp[P](l) 

The computation of this quantity requires to And fixed points, 
cf. Appendix for details. As a result we obtain a closed 
form solution parametrized in p, c, and k: 


(l-c)(l-p) 


1 -p(l - c) 


1 

1 _ pfc 


The automation of such analyses remains a challenge and 
is part of ongoing and future work. 


VH. Denotational Semantics for Eull cpGCL 

In this section we argue why (under mild assumptions) it 
is not possible to come up with a denotational semantics in 
the style of conditional pre-expectation transformers (CPETs 
for short) for full cpGCL. To show this, it suffices to consider 
a simple fragment of cpGCL containing only assignments, 
observations, probabilistic and non-deterministic choices. Let 
X be the only program variable that can be written or read in 
this fragment. We denote this fragment by cpGCL^. Assume 
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D is some appropriate domain for representing conditional 
expectations of the program variable x with respect to some 
fixed initial state cto and let | • ]: Z? —>■ K U {_L} be an 
interpretation function such that for any d € D we have that 
|c?] is equal to the (possibly undehned) conditional expected 
value of X. 


CWp*[P 2 +e] = d 2 +e, with |d 2 +£| = 2 + £ 
cwp*[observe false] = of, with |of| = _L 

for some appropriate di, d 2 , d 2 +e, of S D- By Dehnition 
IVII.ll cwp* being inductive requires the existence of a func¬ 
tion /C, such that 


Definition VII.l (Inductive CPETs). A CPET is a function 
cwp*: cpGCL — D such that for any P s cpGCL , 
|cwp[P]]| = CExpRew^'^olI^II {(} ■sinlL\~'(} i)- cwp* is called 
inductive, if there exists some function 1 C: cpGCL” x [0, 1 ] x 
cpGCL^ ^ D such that for any Pi, P2 S cpGCL^, 

cwp*[{Pi} [p] {P2}] = /C(cwp*[Pi], p, cwp*[P2]) , 
and some function Af: cpGCL” x cpGCL~ D with 
CWp*[{Pi}n{P2}] = A/'(cWp*[Pi], CWP*[P2]) , 
where Vdi,d2 G-D: A/"(di, ((2) G {^1,^2}- 

This dehnition suggests that the conditional pre-expectation 
of {Pi} \p] {P2} is determined only by the conditional pre¬ 
expectation of Pi, the conditional pre-expectation of P2, and 
the probability p. Furthermore the above dehnition suggests 
that the conditional pre-expectation of {Pi}n{P2} is also 
determined by the conditional pre-expectation of Pi and the 
conditional pre-expectation of P2 only. Consequently, the 
non-deterministic choice can be resolved by replacing it either 
by Pi or P2. While this might seem like a strong limitation, the 
above dehnition is compatible with the interpretation of non- 
deterministic choice as demonic choice; The choice is deter¬ 
ministically driven towards the worst option. The requirement 
N{di, (^2) G (di, 6(2} is also necessary for interpreting non- 
deterministic choice as an abstraction where implementational 
details are not important. 

As we assume a hxed initial state and a hxed post¬ 
expectation, the non-deterministic choice turns out to be 
deterministic once the pre-expectations of Pi and P2 are 
known. Under the above assumptions (which do apply to the 
wp and wip transformers) we claim: 

Theorem VII.l. There exists no inductive CPET. 

Proof. The proof goes by contradiction. Consider the program 
P = (Pil [ 1 / 2 ] {P5} with 

Pi = a; := 1 
P5 = {P2}n{P4} 

P 2 = X := 2 

P4 = {observe false} [1/2] {P2+£} 

P 2 +E = X := 2 + e , 

where e > 0. A schematic depiction of the RMDP |P] 
is given in Figure | 4 ] Assume there exists an inductive CPFT 
cwp* over some appropriate domain D. Then, 

cwp* [Pi] = di, with |di| = 1 
cwp*[P2] = d2, with |d2| = 2 


cwp*[P 4 ] = /C (cwp*[observe false], 1 / 2 , cwp*[P 2 +e]) 
= ICiof, 1 / 2 , d2+e) ■ 

In addition, there must be an JV with: 

CWp*[P5] = A/'(cwp*[P2], CWp*[P4]) 

= Af{d2, IC{of, 1/2, d2+e)) ■ 

Since P 4 is a probabilistic choice between an infeasible branch 
and P 2 +£, the expected value for x has to be rescaled to the 
feasible branch. Hence P 4 yields |cwp*[P 4 ]] = 2 + e, whereas 
|cwp*[P 2 ]] = 2. Thus: 

1^2! < [/C(of, 1/2, rf2+s)l ( 2 ) 

As non-deterministic choice is demonic, we have: 

CWp*[P5] = J\f{d2, lC{of, 1/2, d2+e)) = ^2 ( 3 ) 

As A/"(cwp*[P 2 ], cwp*[P 4 ]) e {cwp*[P 2 ], cwp*[P 4 ]} we can 
resolve non-determinism in P by either rewriting P to 
{^ 1 } [V^j {P 2 } which gives 

[cWp*{Pi} [1/2] {P 2}1 = ^ , 

or we rewrite P to {Pi} [ 1 / 2 ] {P4}, which gives 

IcWp*{Pi} [ 1 / 2 ] {P 4}1 = ^ . 

For a sufficiently small e the second option should be preferred 
by a demonic scheduler. This, however, suggests: 

CWp*[P5] = Af{d2, IC{of, 1/2, d2+e)) 

= /C(of, 1/2, d2+e) 
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Fig. 4. Schematic depiction of the RMDP [P] 





Together with Equality (O we get d 2 = /C(of, 1 / 2 , ^ 2 + 5 ), 
which implies |(i 2 ] = V2j '^ 2 +£)l- This is a contra¬ 
diction to Inequality (|2|l. □ 

As an immediate corollary of Theorem I Vll. 1 1 we obtain the 
following statement; 

Corollary V11.2. We cannot extend the cwp rules in Figure 
for non—deterministic programs such that Theorem \V.6\ extends 
to full cpGCL 

This result is related to the fact that for minimizing conditional 
(reachability) probabilities in RMDPs positional, i.e. history- 
independent, schedulers are insufficient ESj . Intuitively speak¬ 
ing, if a history-dependent scheduler is required, this neces¬ 
sitates the inductive dehnition of cwp* to take the context 
of a statement (if any) into account. This conflicts with the 
principle of an inductive definition. Investigating the precise 
relationship with the result of 12^ requires further study. 

VIII. Conclusion and Future Work 

This paper presented an extensive treatment of semantic 
issues in probabilistic programs with conditioning. Major 
contributions are the treatment of non-terminating programs 
(both operationally and for weakest liberal pre-expectations), 
our results on combining non-determinism with conditioning, 
as well as the presented program transformations. We firmly 
believe that a thorough understanding of these semantic issues 
provides a main cornerstone for enabling automated analysis 
techniques such as loop invariant synthesis ca, et), program 
analysis ll28l and model checking ll22l to the class of prob¬ 
abilistic programs with conditioning. Future work consists of 
investigating conditional invariants and a further investigation 
of non-determinism in combination with conditioning. 
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Appendix 

A. Continuity o/wp and wip 

Lemma A.l (Continuity of wp/wlp). Consider the extension 
o/wp and wIp to cpGCL given by 

wp[observeG'](/) = XG ■ f 
wlp[observeG]( 5 ) = XG ■ 9 ■ 

Then for every P S cpGCL the expectation transformers 
wp[P]: E —^ E and wlp[P]: E<i —^ E<i are continuous 
mappings over (E, C) and (E<i, □), respectively. 

Proof For proving the continuity of wp we have to show that 
for any directed subset Z? C E we have 

supwp[P](/) = wp[P][sup/) . (4) 

/eD \f&D J 

This can be shown by structural induction on P. All cases ex¬ 
cept for the observe statement have been covered in ifTOl . It 
remains to show that Equality (|4|i holds for P = observe G: 

sup wp[observe G](/) = sup XG • / 

feD feD 

= XG ■ sup / 

feD 

= wp[observe G](sup/) 

feD 

The proof for the liberal transformer wIp is analogous. □ 

B. Proof of Theorem \V.1\ 

Theorem IV.ll (Decoupling of cwp/cwlp). For P € cpGCL^, 

/ G E, and f',g G E<i.' 

cwp[P]{f, g) = (wp[P](/), wlp[P](g)) 
cwlp[P](/', 5 ) = (wlp[P](/'), wlp[P]( 5 )) 

Proof The proof of Theorem IV.ll goes by induction over all 
cpGCL^ programs. For the induction base we have; 

a) The Effectless Program skip..- For cwp we have: 

cwp[skip](/, g) = (/, g) 

= (wp[skip](/), wlp[skip]( 5 )) 

The argument for cwlp is completely analogous. 

b) The Faulty Program abort..' For CWp we have; 

cwp[abort](/, 5 ) = ( 0 , 1 ) 

= (wp[abort](/), wlp[abort]( 5 )) 

Analogously for cwlp we have; 

cwlp[abort](/', g) = ( 1 , 1 ) 

= (wlp[abort](/'), wlp[abort]((i)) 

c) The Assignment x := E.: For CWp we have: 

cwp[a; := E]{f, g) = {f[x/Ef gix/E]) 

= {wp[x := E]{f),w\p[x := E]{g)) 

The argument for cwlp is completely analogous. 


d) The Observation observe G.: For cwp we have; 

cwp[observe G](/, g) 

= if -XG, g-XG) 

= (wp[observe G](/), wlp[observe G](p)) 

The argument for cwlp is completely analogous. 

e) The Induction Hypothesis:: Assume in the following 
that for two arbitrary but fixed programs P,Q £ cpGCL it 
holds that both 

cwp[P](/, 5 ) = (wp[P](/),wlp[P](g)), and 
cwlp[P](/', 5 ) = (wlp[P](/'),wlp[P](g)) . 

Then for the induction step we have: 

f) The Concatenation P; Q.: For cwp we have: 

cwp[P; Q]{f, g) 

= cwp[p](cwp[g](/, 5 ) 

= cwp[P](wp[Q](/), wlp[Q](g)) (I.H. on Q) 

= (wp[P](wp[Q](/)), wlp[P](wlp[Q](g))) (I.H. on P) 
= (wp[P; Q]{f), wlp[P; Q]ig)) 

The argument for cwlp is completely analogous. 

g) The Conditional Choice ite (G) {P} {Q}.: For cwp 
we have: 

cwp[ite(G){P}{Q}](/, g) 

= XG • cwp[P](/, g) + x^G ■ cwp[Q](/, g) 

= XG ■ (wp[P](/), wlp[P](g)) (I.H.) 

+ X^G ■ (wp[Q](/), wlp[Q]( 5 )) 

= (xG ■ wp[P](/)+ X-G ■ wp[(5](/), 

XG • wlp[P]( 5 ) + x-G • wlp[Q](g)) 

= (wp[ite(G){P}{Q}](/), 
wlp[ite(G){P}{Q}]( 5 )) 

The argument for cwlp is completely analogous. 

h) The Probabilistic Choice {P} [p] {Q}..' For cwp we 
have; 

cwp[{P} [p] {Q}](/, g) 

= p ■ cwp[P] (/, 5 ) + (1 - p) • cwp[Q] (/, g) 

= p- (wp[P](/), wlp[P](p)) (I.H.) 

+ (1 -p) • (wp[Q](/), wlp[Q](p)) 

= (p-wp[P](/) + (1 -p) ■ wp[Q](/), 

p- wlp[P](p) + (1 -p) • wlp[Q](p)) 

= (wp[{P} [p] {Q}](/), wlp[{P} [p] {Q}](p)) 

The argument for cwlp is completely analogous. 

i) The Loop while (G) {P}..' For cwp we have: 

cwp[while(G){P}](/, g) 

= X 2 ). XG ■ cwp[P](A:i, A 2 ) +X-G ■ (/, 9 ) 

= A 2 ). XG • (wp[P](Ai), wlp[P](A 2 )) 

+ X^G • (/, 9 ) (I.H.) 
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= X 2 ). {xG ■ wp[P](Xi) + x^G ■ f, 

XG ■ w\p[P]iX 2 ) + x^G ■ g) 

Now let H{Xi, X 2 ) = {xG ■ wp[P](Xi) + x^G ■ f, XG ■ 
wlp[P](X 2 ) +X-'G ' 9 ) and let Hi{Xi, X 2 ) be the projection 
of H{Xi, X 2 ) to the first component and let H 2 {Xi, X 2 ) be 
the projection of H{Xi, X 2 ) to the second component. 

Notice that the value of Hi{Xi, X 2 ) does not depend on 
X 2 and that it is given by 

Hi{Xi,_) = XG ■ wp[P]iXi) + x^G ■ f ■ 

By the continuity of wp (Lemma I A. Il l we can establish that 
Hi is continuous. Analogously the value of H 2 {Xi, X 2 ) does 
not depend on Xi and it is given by 

H 2 {-, X 2 ) = XG ■ w\p[P]iX 2 ) + X^G ■ g ■ 

By the continuity of wip (Lemma lA.lb we can establish that 
H 2 is continuous. 

As both Hi and H 2 are continuous, we can apply Bekic’s 
Theorem 1291 which tells us that the least fixed point of H is 
given as X 2 ^ with 

Xi = ^IqXi. Hii^Xi, X 2 m H 2 {Xi, X 2 )) 

= fi^Xi. Hi{Xi,_) 

= XG ■ wp[P](A:i)+x^G ■/ 

= wp[while(G) {P}](/) 

and 

= ^l^X 2 . H 2 {ti^Xi. Hi{Xi, X 2 ), X 2 ) 

= /Tg X 2 . H 2 {—, X 2 ) 

= /^□X 2 . XG'Wlp[P](X 2 ) + X-G-5 

= IVCX 2 . XG • wlp[P](X2) +X-G -ff 
= wlp[while(G) {P}](p) , 

which gives us in total 

cwp[while(G){P}](/, 5 ) = (Xi, X 2 ) 

= (wp[while(G){P}](/), wlp[while(G){P}](/)) . 
The argument for cwlp is completely analogous. □ 

C. Linearity of wp 

Lemma A.2 (Linearity of wp). For any P G cpGCL^, 
any post-expectations f,gGE, and any non-negative real 
constants a, (3, 

wp[P]{a ■ f +/3 ■ g) = a ■ \Np[P]{f) + 13 ■ wp[P]{g) . 

Proof. The proof proceeds by induction on the structure of P. 

j) The Ejfectless Program skip..' 

wp[skip](a-/ + /3-p) 

= a • / + /3 -5 

= a ■ wp[skip](/) + f3 ■ wp[skip](p) 


k) The Faulty Program abort..' 

wp[abort](a ■ f + (3 ■ g) 

= 0 

= a ■ wp[abort](/) + /3 • wp[abort](p) 

l) The Assignment x := E.: 

wp[x := E]{a- f + (3- g) 

= {a - f + 13 ■ g)[xlE] 

= a - f[xlE]+ (3 ■ g[x/E] 

= a ■ wp[x := E]{f) + j3 • wp[x := E]{g) 

m) The Observation observe G.: 

wp[observe G](a ■ f + l3 ■ g) 

= XG ■ {a- f + (3 ■ g) 

= a- XG ■ f + 13 ■ XG ■ g 

= a ■ wp[observe G](/) + j3 ■ wp[observe G]{g) 

n) The Concatenation P; Q.: 

wp[P-Q]{a- f + 13 ■ g) 

= wp[P](wp[Q](a ■ f + f3-g)) 

= wp[P](a ■ wp[Q](/) + (3 ■ wp[Q](p)) (I.H. on Q) 

= a-wp[P](wp[Q](/)) 

+ /3 ■ wp[P](wp[Q](p)) (I.H. on P) 

= a ■ wp[P; Q](/) + P ■ wp[P; Q]{g) 

o) The Conditional Choice ite (G) {P} {Q}.: 
wp[ite (G) {P} {Q}]{a ■ f + P ■ g) 

= XG'wp[P](a'/ + ^'p) 

+ X-G'wp[Q](a'/ + /3'5) 

= XG ' (a ' wp[P](/) + P ■ wp[P]( 5 )) 

+ x-G ' (a ' wp[Q](/) + P ■ wp[Q]{g)) (I.H.) 

= a ■ (xG ' wp[P](/) + x-G ' wp[(5](/)) 

+ P-{XG- wp[P]( 5 ) + x-G ' wp[Q]( 5 f)) 

= a ■ wp[ite (G) {P} {<?}](/) 

+ p ■ wp[ite (G) {P} {(5}](ff) 

p) The Probabilistic Choice {P} [p] {Q}..' 

wp[{P} [p] {Q}]ia ■ f + P ■ g) 

= p-\Np[P]{a- f + P ■ g) 

+ (1 -p) • wp[Q](a ■ f + P-g) 

= p-{a- wp[P](/) + P ■ wp[P](p)) 

+ (1 - p) • (a • wp[Q](/) + P ■ wp[Q](p)) (I.H.) 

= a - (p'wp[P](/) + (1 -p) •wp[Q](/)) 

+ /3 • (p-wp[P](p) + (1 -p) • wp[Q]( 5 )) 

= a • wp[{P} [p] {Q}](/) 

+ P-wp[{P} [p] {Q}](p) 


14 


q) The Loop while (G) {P}.; The main idea of the 
proof is to show that linearity holds for the n-th unrolling 
of the loop and then use a continuity argument to show that 
the property carries over to the loop. 

The fact that linearity holds for the n-unrolling of the loop 
is formalized by formula iT"(0) = a-/”(0)+/3-J"(0), where 

H[X) = XG ■ wp[P](X) + x^G ■ (a- f + I3- g) 

I{X) = XG ■ wp[P](X) + x^G ■ f 

J{X) = XG • wp[P](X) + x^G -5 

We prove this formula by induction on n. The base case n = 0 
is immediate. For the inductive case we reason as follows 

P"+i(0) 

= P(P”(0)) 

= P(a-/”(0) + /3-J”(0)) (l.H. onn) 

= XG-wp[P](a-J"(0)+/3. J"(0)) 

+ X-G -{a- f + P-g) 

= XG ■ (a • wp[P](r (0)) + /3 . wp[P](J"(0))) 

+ X-G • (a • / + /3 • g) (I-H. on P) 

= a • (XG • wp[P](/”(0)) + x^G • /) 

+ /3 • (xG • wp[P](j”(o)) + x^G • g) 

= a-/(/"(0))+/3-J(J”(0)) 

= a-/"+i(0) + /3-J”+i(0) 

Now we turn to the proof of the main claim. We apply 
the Kleene Fixed Point Theorem to deduce that the least hxed 
points of H, I and J can be built by iteration from expectation 
0 since the three transformers are continuous (due to the 
continuity of wp established in Lemma lA.111 . Then we have 

wp[while (G) {P}](a ■ f + 13 ■ g) 

= 1JP"(0) 

n 

= |Ja-/”(0)+/3-J"(0) 

n 

= a-y/"(o)+^.yj"(o) 

n n 

= a ■ wp[while (G) {P}](/) 

+ [3 ■ wp[while (G) {P}] {g) □ 

D. Proof of Lemma \V.3\ 

Lemma IV.3I (Elementary properties of cwp and cwl p). For 
every P e cpGCL® with at least one feasible execution 
(from every initial state), post-expectations /, p G E and non¬ 
negative real constants a, j3: 

0 /Eg implies cwp[P](/) C cwp[P](p) and likewise for 
cwl p (monotonicity). 

ii) cwp[P] {a- f + (3 ■ g) = a- cwp[P] (/) + /3 • cwp[P] (p). 
Hi) cwp[P](0) = 0 and cwl p[P](l~) = 1. 


r) Proof o/[^ We do the proof for transformer cwp; 
the proof for cwp is analogous. On view of Theorem IV. 1 1 the 
monotonicity of cwp reduces to the monotonicity of wp which 
follows immediately from its continuity (see Lemma lA. 11 1 . 

s) Proof oj^Tj\ Once again, on view of Theorem lV.il the 
linearity of cwp follows from the linearity of wp, which we 
prove in Lemma 1 X 20 

t) Proof of \iii)\ Let us begin by proving that 

cwp[P](0) = 0. On account of Theorem IV. 1 1 this assertion 
reduces to wp[P](0) = 0, which has already been proved 
for pGCL programs (see e.g. jj))- Therefore we only have 
to deal with the case of observe statements and the claim 
holds since wp[observe G](0) = XG'O = 0. Finally formula 
cwl p[P](l) = 1 follows immediately from Theorem IV. 1 1 □ 

E. Proof of Lemma \V.4\ (i) 

For proving Lemma |V4](i) we rely on the fact that allowing 
a bounded while-loop to be executed for an increasing number 
of times approximates the behavior of an unbounded while- 
loop. We first define bounded while-loops formally: 

Definition A.l (Bounded while-Loops). Let P G pGCL. 
Then we define; 

while^° (G) {P} = abort 
while^^"*"^ (G) {P} = ite (G) {P^} {skip} 

P'= = P; while<'= (G) {P} 

We can now establish that by taking the supremum on the 
bound k we obtain the full behavior of the unbounded while- 
loop: 

Lemma A.4. Let G be a predicate, P G pGCL, and / € E. 
Then it holds that 

sup wp[while^^ (G) {P}](/) = wp[while (G) {P}](/) . 

feGN 

Proof. For any predicate G, any program P G pGCL, and any 
expectation / € E let 

F{X) = XG-wp[P](X) + x^G- / . 

We first show by induction on /c G N that 

wp[while<'=(G){P}](/) = P'=( 0 ) . 

For the induction base we have fc = 0. In that case we have 

wp[while<° (G) {P}](/) 

= wp[abort](/) 

= 0 

= P°(0) . 

As the induction hypothesis assume now that 
wp[while<'=(G){P}](/) = 

^We cannot adopt the results from the original work because their 
analyses is restricted to bounded expectations. 
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holds for some arbitrary but fixed k. Then for the induction 
step we have 

wp[while<'=+i (G) {P}](/) 

= wp[P; ite (G) {while<'= (G) {P}} {skip}](/) 

= (XG • wp[P] o wp[while<'= (G) {P}] 

+ X-G • wp[skip])(/) 

= XG • wp[P](wp[while<'" (G) {P}](/)) 

+ X-G • wp[skip](/) 

= XG-wp[P](P'=(0))+x^G-/ (I.H.) 

= P'=+i(0)(/) . 

We have by now established that 

wp[while<'=(G){P}](/) = P'^W 
holds for every /c G N. Ergo, we can also establish that 

sup wp[while^* (G) {P}](/) 

feeN 

= supP'=(0) 
feeN 

= ^JLX. F{X) 

= wp[while (G) {P}](/) . □ 

With Lemma IA.4I in mind, we can now restate and prove 
Lemma rv.4l (i): 

Lemma IV.4I (i). For P G cpGCL^, / G E, p G E<i, and 
a G S; 

ExpRew^-t^J iOisinlt)) = wp[P](/)(a) 

IS 

Proof. The proof goes by induction over all cpGCL pro¬ 
grams. Lor the induction base we have: 

The Effectless Program skip. The RMC for this program 
is of the following form0 

^ (skip, cr) ->■ (4,, cr) ->- {sinkf f 

0 /(o-) 0 

In the above RMC we have If := Paths((skip, a), {sinlf)) = 
{tti} with TTi = (skip, a) (J,, a) {sinifj. Then we have 
for the expected reward: 

= 

= Pr(^i) • r(7ri) 

= 

= /(ct) 

= wpfskip] (/)(cr) 

The Faulty Program abort. The RMC for this program 
is of the following form: 

®If transitions have probability 1, we omit this in our figures. Moreover, 
all states—with the exception of (sinpj —are left out if they are not reachable 
from the initial state. 


—*■ (abort, cr) __^ {sink} 

0 0 

In this RMC we have 11 := Paths((abort, a), {sink}) = 0. 
Then we have for the expected reward: 

ExpRew^-taborti 

= Pr(7r) • r(7r) 

'^'€0 
= 0 
= 0(cr) 

= wp[abort] (/)(cr) 

The Assignment x := E. The RMC for this program is of 
the following form: 

—► {x := P, cr) ^ (J,, cr[P/a;]) -► {sink} 

0 /(cr[P/a:]) 0 

In this RMC we have 11 := Paths((a: := E, cr), {sink}) = 
{tti} with TTi = (x := E, cr) —>■ ( 4 ,, cr[P/x]) —>■ {sink}. Then 
we have for the expected reward: 

ExpRew^"^'“~'®'' {<)sink} 

= ^ Pr(7r) • rifk) 

■K^H 

= Pr(7ri) • r(7ri) 

= 1 • f{(^[E/x\) 

= f{(^[E/x\) 

= f[E/x\{a) 

= wp[x := P](/)(cr) 

The Ohservation observe G. Lor this program there are 
two cases: In Case 1 we have cr |= G, so we have XG(<t) = 1- 
The RMC in this case is of the following form: 

—> (observe G, cr) -»- (J,, cr) - *■ {sin 

0 f(<^) 0 

In this RMC we have 11 := Paths((observe G, cr), {sink}) 
= {tt"!} with TTi = (observe G, cr) —>■ (4-, cr) —>■ {sink}. 
Then we have for the expected reward: 

ExpRew^-I°‘^"®”® {()sink} 

= 

= Pr(:^i) • r^TTi) 

= 1 • fi<^) 

= XG{cr) ■ f{a) 

= {XG-f){cr) 

= wp[observe G](/)(cr) 
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In Case 2 we have ct ^ G, so we have xg(c’’) = 0- The RMC 
in this case is of the following form: 


—> (observe G, a) - > {i) 


0 


0 


{sink) 

0 


In this RMC we have 11 := Paths((observe G, a), {sink)) 
= {-n-i} with TTi = (observe G, ct) ^ (i) —^ {sink). Then 
for the expected reward we also have: 

{<)sink) 

= Pr( 7 ri) • r(:ffi) 

= 1-0 

= 0 

= 0 -/( ct ) 

= Xg(o-) • /(ct) 

= (XG-/)(o-) 

= wp[observe G](/)(cr) 


The Concatenation P; Q. For this program the RMC is of 
the following form: 

^ (P; Q, cr) (4,; Q, a) {Q, a) ■ ■ ■ 

On 0 0 


(^; Q, a") -* {Q, a”) 

0 0 


= wp[P; Q]{f) 

The Conditional Choice ite (G) {P} {Q}. For this pro¬ 
gram there are two cases: In Case 1 we have cr |= G, so we 
have XG(cr) = 1 and x-.g(o') = 0. The RMC in this case is 
of the following form: 

^ (ite (G) {P} {Q} G, a) -. (P, a) 


In this RMC every path in Paths((ite (G) {P} {Q}, ct), 
{sink)) starts with (ite (G) {P} {Q}, a) {P, cr) —•••. 
As the state (ite (G) {P} {Q}, cr) collects zero reward, the 
expected reward of the above RMC is equal to the expected 
reward of the following RMC: 

^ {P, a) ^ ■■■ 

0 

But the above RMC is exactly TZ) |PJ| for which the expected 
reward is known by the induction hypothesis. So we have 

Osink) 

= ExpRew^"'^'^^' {(/sink) 

= wp[P](/)(a) (I.H.) 

= 1 • wp[P](/)(cr)+0-wp[Q](/)(cr) 

= XG(f7-) • wp[P](/)(cr) + X-g(c^) • wp[Q](/)(cr) 

= wp[ite(G){P}{Q}](/)(cr) . 


In this RMC every path in Paths((P; Q, a), {sink)) starts 
with (P; Q, a), eventually reaches (4,; Q, a), and then im¬ 
mediately after that reaches {Q, a) which is the initial 
state of TZ^, |(5| for which the expected reward is given by 
ExpRew^'''^'^^ {(/sink). By this insight we can transform the 
above RMC into the RMC with equal expected reward below: 


In Case 2 we have cr ^ G, so we have xg(o') = 0 and 
X^dcr) = 1. The RMC in this case is of the following form: 

^ (ite (G) {P} {g} G, a) -> {Q, a) 


0 


0 





(;, <t') 

ExpRew^^''^'^'' {(/sink) 


a, a") 


ExpRew^"" {(/sink) 


But the above RMC is exactly ^ 

which the expected reward is also known by the induction 

hypothesis. So we have 

ExpRew^-ll^’'^'' {(/sink) 

■- r-> 7j>T.ExpRew''^4 lOlCOAOirpn 

= ExpRew'^" * * {(/sink) 

= ExpRew^””"'^'*^''^^'' {(/sink) (I.H. on Q) 

= wp[P](wp[g](/))(cr) (I.H. on P) 


In this RMC every path in Paths((ite (G) {P} {Q}, ct), 
{sink)) starts with (ite (G) {P} {Q}, cr) —?■ {Q, a) ■■■. 
As the state (ite (G) {P} {Q}, cr) collects zero reward, the 
expected reward of the above RMC is equal to the expected 
reward of the following RMC: 

^ (g, cr) • • • 

0 

But the above RMC is exactly TZ^ |g] for which the expected 
reward is known by the induction hypothesis. So we also have 

{(/sink) 

= ExpRew^^'f'^'' {(/sink) 

= wp[g](/)(cr) (I.H.) 
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= 0 • wp[p](/)(cr) + 1 • wp[Q](/)(cr) 

= Xg(ct) • wp[P](/)(ct) + x^G(cr) ■ wp[Q](/)(ct) 

= wp[ite(G){P}{Q}](/)(cr) . 

The Probabilistic Choice {P} [p] {Q}. For this program 
the RMC is of the following form; 

p 

({-P} [P] -► {P, 0-) 



{Q, a) 

0 


In this RMC every path in Paths(({P} [p\ {Q}, a), (sinlc)) 
starts with ({P} \p] {Q}, u) and immediately after that 
reaches (P, a) with probability p or {Q, a) with probability 
1 — p. (P, a) is the initial state of 72.^|P] and (Q, a) is the 
initial state of P^|Q|. By this insight we can transform the 
above RMC into the RMC with equal expected reward below: 

p 


{{P} [p] 



(P.^) 




{Q^ cr) 

ExpRew^''^'^'' (Osint) 


The expected reward of the above RMC is given by p ■ 
ExpRew^"^^'' {()sin(C) + (1 -p) • ExpRew^"'^'^'' {(}sint), so 
in total we have for the expected reward; 

{()sin/^ 

= p ■ ExpRew^"^'^'' {Osinli) 

+ (1 -p) • ExpRew^-'f'^'' {Osinli) 

= p- wp[P](/)(ct) + (1-p) • wp[Q](/)(ct) (I.H.) 

= wp[{P} [p] {Q}](/) . 

The Loop while (G) {Q}- By Lemma lA.41 we have 
wp[while (G) {P}](/) = sup wp[while^^ (G) {P}](/) 

feGN 

and as while^*^ (G) {P} is a purely syntactical construct 
(made up from abort, skip, conditional choice, and P) 
we can (using what we have already established on abort, 
skip, conditional choice, and using the induction hypothesis 
on P) also establish that 


= ExpRew^-I”*'"^"('^^<^>J (0«nO . (6) 

While the above is intuitively evident, it is a tedious and tech¬ 
nically involved task to prove it. Herefore we just provide an 
intuition thereof: For showing (|5]l < dU, we know that every 
path in the RMDP P^|while<^ (G) {P}| either terminates 
properly or is prematurely aborted (yielding 0 reward) due 
to the fact that the bound of less than k loop iterations was 
reached. The RMDP [while (G) {P}| for the unbounded 
while-loop does not prematurely abort executions, so left- 
hand-side is upper bounded by the right-hand-side of the 
equation. For showing dU > dD, we know that a path that 
collects positive reward is necessarily finite. Therefore there 
exists some fc S N such that P^|while<* (G) {P}| includes 
this path. Taking the supremum over k we eventually include 
every path in [while (G) {P}| that collects positive re¬ 
ward. □ 

F. Proof of Lemma \V.4\ (ii) 

Lemma IV.4I (ii). For P G cpGCL^, f € E,g G E<i, and 
a G S: 

LExpRew^'t^J iO{sinl)) = wlp[P](5)(fT) 

Proof The proof goes by induction over all cpGCL pro¬ 
grams. For the induction base we have; The Effectless Pro¬ 
gram skip. The RMC for this program is of the following 
form: 

^ (skip, cr) ->- (j,, cr) ->- {sinkf) ^ 

0 f{<7) 0 


In this RMC we have II := Paths((skip, u), {sink)) = {tti} 
with TTi = (skip, cr) —(j,, cr) —>■ {sink). Then we have for 
the liberal expected reward: 

LExpRew^*'^^^^’’'' {Osink) 

= ^ Pr(^) ■ r{n) -|- Pr(-iO(«n^)) 

= Pr( 7 r) • r( 7 f) -k 0 
= 1 ■ 9 {<^) 

= 9{^) 

= wlp[skip](p)(cr) 

The Faulty Program abort. The RMC for this program 
is of the following form: 


(abort, cr) 
0 


{sink) 

0 


wp[while(G){P}](/) 


It is now left to show that 


sup ExpRew'^-I"*^"^"^' {<)sink) 

fceN 


In this RMC we have II := Paths((abort, cr), {sink)) = 0. 
Then we have for the liberal expected reward: 

ExpRew^°I^*=°’^'^J {Osink) 

— ^ Pi'('^) ■ r{7r) + {sink)) 

TT^U 
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= Pr(7r) • r{Tt) + 1 

= 0 + 1 
= 1 
= iCo") 

= wlp[abort](g)((T) 

The Assignment x := E. The RMC for this program is of 
the following form: 

^ {x ■■= E, a) 4, (t[E/x\) - >- {sink) ^ 

0 /(cr[T;/a;]) 0 

In this RMC we have 11 := Paths((a; := E, a), {sink)) = 
{tti} with TTi = {x := E, a) (I, a[E/x]) —>■ {sink). Then 
we have for the liberal expected reward: 

{(}sink) 

= ^ Pr(^) • + Pr(-'0(5ift^)) 

= Pr(7ri) • r(7fi) + 0 

= ^-gi^lE/x]) 

= 9i(^[E/x]) 

= 9 [E/x]{a) 

= wlp[a; := E]{g){a) 


In this RMC we have If := Paths((observe G, a), {sink)) 
= {tti} with TTi = (observe G, ct) —>■ (i) —> {sink). Then 
we have for the liberal expected reward: 

iOsink) 

= ^ Pr(^) • r{7r) + Pi{^(){sink)) 

TT^n 

= Pr('ffi) • r('ffi) + 0 
= 1-0 
= 0 

= O-p(ct) 

= Xg(o-) ■g{(j) 

= (XG-5)(0-) 

= wlp[observe G]{g){a) 

The Concatenation P; Q. For this program the RMC is of 
the following form: 





diverge... 


{P; Q, a) (J,; Q, a') —>- {Q, a') 

0-1 0 0 


The Observation observe G. For this program there are 
two cases: In Case 1 we have cr ^ G, so we have xg(o’) = 1. 
The RMC in this case is of the following form: 

—*■ (observe G, a) - *■ (J,, a) - > {sin 

0 /M 0 

In this RMC we have 11 := Paths((observe G, cr), {sink)) 
= {t^i} with TTi = (observe G, cr) —>■ (4-, cr) —)■ {sink). 
Then we have for the liberal expected reward: 

LExpRew^"I°‘’"®^"® Osink) 

= ^ Pr(^) ■ r(7f) + Pr(-i0(5i«^)) 

= Pr(7ri) ■ r(7fi) + 0 
= 

= Xg(ct) ■ff(cr) 

= (XG-ff)M 
= wlp[observe G]{g){a) 

In Case 2 we have cr ^ G, so we have xg(o’) = 0. The RMC 
in this case is of the following form: 


(i; Q, a") ^ {Q, a") ■ ■ ■ 

0 0 

In this RMC every path in Paths((P; Q, a), {sink)) starts 
with {P; Q, a), eventually reaches ( 4 ,; Q, a), and then im¬ 
mediately after that reaches {Q, a) which is the initial state 
of 7?,® IQ]- Every diverging path either diverges because the 
program P diverges or because the program Q diverges. If 
we attempt to make the RMC smaller (while preserving the 
liberal expected reward) by cutting it off at states of the form 
( 4 ,; Q,t), we have to assign to them the liberal expected 
reward LExpRew^^^*^^ {()sink) in order to not loose the non¬ 
termination probability caused by Q. By this insight we can 
now transform the above RMC into the RMC with equal liberal 
expected reward below: 



^ {P, a) {i, a) 

LExpRew^^'lt'^]' {<)sink) 



—*■ (observe G, a) -► (i) 

0 


{sink) 

0 


(;, a") 

LExpRew^^" {()sink) 


0 
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But the above RMC is exactly " (0-'‘'»Ojpj 

which the liberal expected reward is known by the induction 
hypothesis. So we have for the liberal expected reward; 

LExpRew^"I^’‘51 

I 1 - n 7jLExpRew'K?I«]l(0».O|[pj 

= LExpRew " I* * {()stn(C) 

= LExpRew^"’’'*^''”’*^'^'' {()sin(C) (I.H. on Q) 

= wlp[P](wlp[Q](5))((7) (I.H. on P) 

= wlp[P; Q]{g) . 


The Conditional Choice ite (G) {P} {<5}. For this pro¬ 
gram there are two cases: In Case 1 we have cr |= G, so we 
have xg(c) = 1 X-'G(o') = 0. The RMC in this case is 

of the following form: 

^ (ite (G) {P} {Q} G, a) -> (P, a) 


expected reward of the above RMC is equal to the expected 
reward of the following RMC: 

^ (Q, cr) • • • 

0 

But the above RMC is exactly TZ% IQ] for which the expected 
reward is known by the induction hypothesis. A similar 
argument can be applied to the probability of not eventually 
reaching {sinfCj. So we also have for the liberal expected 
reward: 

+ Pr^?I“^(G){^}W}l(^0(««O) 

= ExpRew^" {()sinfC} + Pr^° {-^(){sinfC)) 

= wIp[Q](p)(ct) (I.H.) 

= 0 • wIp[P](p)(ct) + 1 • wlp[Q]( 5 )(cr) 

= XG(cr) • wlp[P](p)(cr) + X-G(cr) • wlp[Q](p)(cr) 

= wlp[ite(G){P}{Q}]( 5 )(cr) . 


As the state (ite (G) {P} {Q}, cr) collects zero reward, the 
expected reward of the above RMC is equal to the expected 
reward of the following RMC: 

^ (P, a) ^ ... 

0 

But the above RMC is exactly TZ% |P| for which the expected 
reward is known by Lemma . A similar argument can be 
applied to the probability of not eventually reaching {sink). 
So we have for the liberal expected reward: 

LExpRew^-t“" 

= ExpRew^' 1^^} {Oil 

= ExpRew^* (Osinki) + {-'<){sinki)) 

= wlp[F’](ff)(CT) (I.H.) 

= l-wlp[P](6f)(cr) + 0-wlp[Q](6f)(cr) 

= XG(cr) • wlp[P]( 5 )(cr) + X-G(cr) • wlp[Q]( 5 )(cr) 

= wlp[ite(G){P}{Q}](6f)(cr) . 

In Case 2 we have cr G, so we have XG(cr) = 0 and 
;^'_,Q(cr) = 1. The RMC in this case is of the following form: 

^ (ite (G) {P} {Q} G, a) -. (Q, a) 


In this RMC every path in Paths((ite (G) {P} {Q}, cr), 
{sink)) starts with (ite (G) {P} {Q}, a) —> (Q, a) —>■ •••. 
As the state (ite (G) {P} {Q}, cr) collects zero reward, the 


The Probabilistic Choice {P} [p\ {Q}. For this program 
the RMC is of the following form: 

p 

({-P} [P] {Ql.cr) -► {P, 0-) ••• 



(Q, a) 

0 


In this RMC every path in Paths)({P} [p\ {Q}, cr), {sink)) 
starts with ({P} [p] {Q}, cr) and immediately after that 
reaches (P, cr) with probability p or (Q, cr) with probability 
1 — p. (P, cr) is the initial state of P^|P| and (Q, cr) is the 
initial state of TZ) |Q|. The same holds for all paths that do not 
eventually reach {sink). By this insight we can transform the 
above RMC into the RMC with equal liberal expected reward 
below: 

p 


{{P} [p] {Q},a) -. (P, a) 


0 


1 -p 


ExpRew^^'f'^^' {()sink) 


{Q, , 

ExpRew^'lt'^]' {)sink) 


The liberal expected reward of the above RMC is given by 
p-LExpRew^'"'!^'' (05jft^) + (l-p)-LExpRew^- Osink), 
so in total we have for the liberal expected reward: 

LExpRew^-lt'f^^ ^‘511 {()sink) 

= p • LExpRew^'l^'^]' (Osink) 
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1. Proof of Theorem IV7.7I 


+ (1 -p) • LExpRew^-'f'^'' iOsinfi) 

= p-wlp[p](/)(cr) + (1 -p) • wIp[Q](/)(ct) (I.H.) 

= wlp[{P} [p] {Q}](/) . 

The Loop while (G) {Q}. 

The argument is dual to the case for the (non-liberal) 
expected reward. □ 

G. Proof of Lemma 11751 

Lemma fV.5l For P G cpGCL^, g G E<i, and a G S.' 

= wlp[P](l)((T) . 

Proof First, observe that paths on reaching ■/or i immedi¬ 
ately move to the state (sitili). Moreover, all paths that never 
visit ^ either (a) visit a terminal /-state (which are the only 
states that can possibly collect positive reward) or (b) diverge 
and never reach (sinlf) and therefore neither reach •/nor ^. 
Furthermore the set of “(a)-paths” and the set of “(b)-paths” 
are disjoint. Thus: 

= Pr^^IPl( 0 /)+Pr^^IPl (^0 

sinkf) 

and by assigning reward one to every •/-state, and zero to 
all other states, we can turn the probability measure into an 
expected reward, yielding 

= ExpRew^^'t'^]' (0/) + Pr^"I'^I(-'05tn^) 

As every path that reaches sink over a ^ -state cumulates zero 
reward, we finally get: 


Theorem IVI.ll (Program Transformation Correctness). Let 
P G cpGCL admit at least one feasible run for every initial 
state and T{P, 1) = (P, h). Then for any / G E and g G E<i, 

wp[P](/) = cwp[P](/) and wlp[P]( 5 ) = c^p[P](g). 

In view of Theorem IV. 11 the proof reduces to showing equa¬ 
tions ^■wp[P](/) = wp[P](/), ^•wlp[P](/) = wlp[P](/) and 
h = wlp[P](l), which follow immediately from the auxiliary 
Lemma lA.51 below by taking h = 1. 

Lemma A.5. Let P G cpGCL . Then for all expectations 
/ S E and g,h G E<i, it holds 

h ■ wp[P] (/) = wp[P] {h ■ /) (7) 

/i-wlp[P]( 5 ) = wlp[P](/i-g) ( 8 ) 

L = wlp[P](/i), (9) 

where {P,h) = T{P, h). 

Proof We prove only equations O and (|9]l since ([ 8 ]l follows 
a reasoning similar to O. The proof proceeds by induction 
on the structure of P. In the remainder we will refer to the 
inductive hypothesis about (|2l) as to IHi and to the inductive 
hypothesis about (|9l) as to IH 2 . 

The Effectless Program skip. We have T(skip,/i) = 
(skip, h) and the statement follows immediately since 

h • wp[skip](/) = h- f = wp[skip](ft, • /) 

and 


= ExpRew^" {(}sink) + Pr^* 

= LExpRew^'lt^'' {()sink) 

= wlp[P](l) (Lemma I V.4b 

□ 

H. Proof of Theorem 11761 

Theorem IV. 6 I (Correspondence theorem). For P G cpGCk'^, 
/ S E, g G E<i and a gE>, 

CExpRew^''^'^^ (0«n^I-lOi) = cwp[P]( f)(a) 
CLExpRew^'^^'^^ I “'Oi) = cw[p[P](p) (cr) . 


h = wlp[skip](/i). 

The Faulty Program abort. We have T(abort,/i) = 
(abort, 1 ) and the statement follows immediately since 

1 • wp[abort](/) = 1 • 0 = wp[abort](/i ■ /) 

and 

1 = wlp[abort](/i). 

The Assignment x := E. We have T{x := E,h) = {x := 
E,h[x/E]) and the statement follows immediately since 


Proof We prove only the first equation. The proof of the 
second equation goes along the same arguments. 


CExpRew^-'^'^^' (0«n^| -'Oi) 
ExpRew^"'^'^^' (0«nO 

Pr^"ll^I(-.0i) 


^ wp[P](/) 
wlp[P](l) 
cwpi[P](/, 1) 
CWP 2 [P](/, 1) 
= cwp[P](/) 


(Lemmas iviro 

(Theorem IV. Il l 
□ 


h[x/E] ■ wp[a; := E]{f) = h[x/E] ■ f[x/E] 
= {h ■ f)[xlE] = wp[a; := E]{h ■ f) 

and 


h[x/E] = wlp[a; := E]{h). 

The Observation observe G. We have T(observe G,/i) 
= (skip, XG ■ h) and the statement follows immediately since 

XG-h- wp[skip](/) = XG-h- f 
= wp[observe G]{h ■ f) 
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and 


XG ■ h = wlp[observe G]{h). 

The Concatenation P; Q. Let (Q^hq) = T{Q,h) and 
{P, hp) = T{P^ hq). In view of these definitions, we obtain 

np-,Q,h) = {p-Q,hp). 

Now 

hp ■wp[P;Q]{f) 

= hp-wp[P] (^wp[(5](/)) 

= wp[P]{hq ■ wp[Q]{f)) 

= wp[P]{wp[Q]{h ■ /)) 

= wp[P; Q]{h ■ f) 

and 

hp = wlp[P](hQ) 

= wlp[P](wlp[Q](/i)) 

= wip[-P;Q](^)- 

The Conditional Choice ite (G) {P} {Q}. Let (P, hp) = 
T{P, h) and {Q,hq) = T{Q,h). On view of these dehnitions, 
we obtain 

r(ite(G){P}{Q},h) = 

(ite (G) {P} {Q}, XG ■hp + x^G ■ hq). 

Now 

(XG ■ hp + x^G ■ hq) 

•v\/p[ite(G){P}{Q}](/) 

= (XG • + X-G • hq) 

■ ixG ■ wp[P](/) + x-G ■ wp[Q](/)) 

= XG-hp- wp[P](/) + x^G ■ hq ■ wp[Q](/) 

= XG ■ wp[P] (h- f)+ x^G ■ wp[(3] (h ■ f) (IHi) 

= wp[ite (G) {P} {Q}]{h ■ f) 

and 

XG ■hp + x^G ■ hq 

= XG ■ wlp[P](/i) + x^G ■ wlp[Q](h) (IH 2 ) 

= wlp[ite(G){P}{Q}](/i) 

The Prohahilistic Choice {P} [p] {Q}. Let (P, hp) = 

T{P, h) and [Q, hq) = T{Q, h). On view of these deh¬ 
nitions, we obtain 

r({p} m {Q}M = 

({P} [ 0 -^pA] {Q),cj,.hp^(l- 4 ,).hq) 

with h = (j) ■ hp -\- {1 — (j)) ■ hq. 

To prove the hrst claim 

h-wp[{P} [4>-hp/h] {Q}](/) = wp[{P} [0] {Q}]{h-f) 


of the lemma we need to make a case distinction between 
those states that are mapped by h to a positive number and 
those that are mapped to 0. In the hrst case, i.e. if h{s) > 0, 
we reason as follows: 

/i(s)-wp[{P} [^-hp/h] {Q}](/)(s) 

= ft(s).(^(s).wp[P](/)(s) 

+ ■wp[Q](/)(s)) 

= (t>{s) ■hp{s)-wp[P]{f){s) 

+ (1 - (^)(s) • hq{s) ■ wp[Q](/)(s) 

= (t>{s) ■ wp[P](h • f ){s) 

+ (1 - (^)(s) • wp[Q](h ■ /)(s) (IHi) 

= wp[{P} [(j)] {Q}]ih- f){s) 

while in the second case, i.e. if h{s) = 0, the claim holds 
because we will have wp[{P} \(f>] {Q}]{h ■ f){s) = 0. To see 
this note that if h{s) = 0 then either (j){s) = 0 A /iq(s) = 0 or 
(/)(s) = 1 A hp(s) = 0 holds. Now assume we are in the hrst 
case (an analogous argument works for the other case); using 
the IHi over Q we obtain 

wp[{P} [0] {Q}]{h ■ f){s) = wp[Q]{h ■ f){s) 

= hq{s) ■wp[Q]{f){s) = 0. 

The proof of the second claim of the lemma is straightfor¬ 
ward: 

(j) ■ hp + {1 - 4 >) ■ hq 

= (j) ■ wlp[P](h) -I- (1 - (^) ■ wlp[Q](/i) (IH 2 ) 

= wlp[{P} [(j}] {Q}]ih). 

The Loop while (G) {Q}. Let h = uF where F{X) = 
XG'7p{X)+x^G'h and Tp{-) is a short-hand for tt 2 oT{P, •). 
Now if we let (P, 9) = T{P, h) by dehnition of T we obtain 

r(while (G) {P}, h) = (while (G) {P}, h). 

The hrst claim of the lemma says that 

h ■ wp[while (G) {P}](/) = wp[while (G) {P}]{h ■ /). 

Now if we let H{X) = XG ■ wp[P](X) + x^G ■ f 
I{X) = XG ■ wp[P](X) + x^G ■ h ■ f, the claim can be 
rewritten as h ■ fiH = fil and a straightforward argument 
using the Kleene hxed point theorem (and the continuity of 
wp established in Lemma lA.ll) shows that it is entailed by 
formula Vn. h ■ iJ"(0) = /"(O). We prove the formula by 
induction on n. The case n = 0 is trivial. For the inductive 
case we reason as follows: 

h- P"+i( 0 ) 

= F{h) ■ H'^+^Q) 

= {XG-Tp{h)+x^G-h)-H^+\ 0 ) 

= (XG • Tp{h) +X-G ■ h) 

■ (xG • wp[P](P"(0)) -f x-G • /) 


(IHi on P) 
(IHi on Q) 


(IH 2 on P) 
(IH 2 on Q) 


(def. h) 
(def. P) 

(def. H) 
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(17) 


= xG-rp(M-wp[p](ij"(o)) 


+ X^G-h-f 

(algebra) 

= XG-0- v\/p[P](iL”(0)) -f x^G -h- f 

(def. 9) 

= XG ■ wp[P]{h ■ iy”(0)) -f x-G -h- f 

(IHi on P) 

= I{h-H^{0)) 

(def. 1) 

= /”+i(0) 

(IH on n) 

We now turn to proving the second claim 

h = wipfwhile (G) {F’}](/i) 

of the lemma. By letting J{X) = xg ' wlp[P](2f) + x-,g ’ h. 

the claim reduces to v F = v J, which we 

prove showing 

that h = 1 / F is a fixed point of J and u J 

is a fixed point 

of F. (These assertions basically imply that u F > u J and 

u J > u F, respectively.) 

J{h) = XG ■ ^\p[P]W+X^G ■ h 

(def. J) 

= XG - SP x^G ■ h 

(IH 2 on P) 

= XG ■ Tp{h) + x^G ■ h 

(def. 9) 

= F{h) 

(def. F) 

= h 

(def. h) 

J)=XG-Tp{vJ)+ x^g • h 

(def. F) 

= XG ■ w\p[P]{iy J) + x^G ■ h 

(IH 2 on P) 

= J{vJ) 

(def. J) 

= u J 

(def. V J) 


□ 


J. Proof of Theorem WL2\ 

Proof Let us take the operational point of view. Let si be 
some initial state of P. 


cwp[P](/)(s/) 

= CExpRew^'r (0 sinf hO i ) 

= CExpRew^^r ^ (0 sink^ \ rerun) 
ExpRew^^r ^ (0 sinf Pi -lO rerun) 

I^i rerun) 

^ EjrgO sinln^O rerun ^ (^) ’ /(^) 

1 — (0 rerun) 

OO 

= Pp*'^(0 reruf;)* 

TT^O rerun 

OO 

^^0 ^m^n—'0 rerun i=0 

I(^) ■ /(^)) 


( 10 ) 

( 11 ) 

( 12 ) 

(13) 

(14) 


(15) 


(16) 


= ^ Pr<I""l(^)./(^) 

sinli_ 

= ExpRew^'r (0 «?i^) (18) 

= wp(P",/)(s 7 ) . (19) 


The equality (fT^ holds because, by construction, the probabil¬ 
ity to violate an observation in P agrees with the probability 
to reach a state in P' where rerun is true. In order to obtain 
equation (fTSl l we use the fact that for a fixed real value r and 
probability a it holds 


OO 



Rewriting (fTSl l into (fTSl l precisely captures the expected cu¬ 
mulative reward of all terminating paths in P" which is the 
expression in the following line. Finally we return from the 
operational semantics to the denotational semantics and obtain 
the desired result. □ 


K. Detailed calculations for Section IVY-DI 

We refer to the labels in it and ioop introduced in the 
program P in Section IVI-DI Further let body denote the 
program in the loop’s body. For readability we abbreviate 
the variable names delivered as del, counter as cntr and 
intercepted as int. In the following we consider del and int 
as boolean variables. In order to determine O we first start 


with the numerator. This quantity is given by 

wpfinit; ioop; observe(cnfr < fc)]([-imf]) ( 20 ) 

= wp[init](wp[loop]([cnfr < fc A -i/nf])) (21) 

= wp[init](/xF. {[-^del] ■ wp[body](F) 

+ [del A cntr < k A -lint])) (22) 

= wp[init](sup {[-'del] ■ wp[body](0) 

n 

+ [del A cntr < k A -■!«?])") (23) 


where <I>" denotes the n-fold application of $. Equation (1211) 
is given directly by the semantics of sequential composition 
of cpGCL commands. In the next line we apply the definition 
of loop semantics in terms of the least fixed point. Finally, 
(|2^ is given by the Kleene fixed point theorem as a solution 
to the fixed point equation in (|22|. We can explicitly find the 
supremum by considering the expression for several n and 
deducing a pattern. Let 4)(F) = [-^del] ■ wp[body] (F) + [del A 
cntr < k A -'int]. Then we have 


$(0) = [^del] ■ wp[body](0) -f [del A cntr < k A -'int] 
= [del A cntr < k A -'int] 

4)^(0) = ^{[del A cntr < k A -'int]) 

= [^del] ■ wp[body]([£/e/ A cntr < k A -'int]) 

-f [del A cntr < k A -'int] 

= [-'del] ■ (p(l — c) • [del A cntr -f 1 < fc A -'int] 
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+ (1 — p) ■ [cntr < k A -^int]) 

+ [del A cntr < k A —'int] 

= [-idel A cntr < k A -i/nf] • (1 — p) 

+ [del A cntr < k A -<int\ 

$^(0) = ^{[-^del A cntr < k A -^int] ■ {1 — p) 

+ [del A cntr < k A -i/nf]) 

= [—idel A cntr < k A -lint] ■ [I — p) 

+ [-<del A cntr + 1 < k A -•int] ■ (1 — p)p{l — c) 

+ [del A cntr < k A -tint] 

As we continue to compute <i)"(0) in each step we add a 
summand of the form 

[-•del A cntr + i < k A -•int] ■ (1 — p){p{l — c))* 

However we see that the predicate evaluates to false for all 
i > k — cntr. Hence the non-zero part of the fixed point is 
given by 

[del A cntr < k A -•int] 

k—cntr 

+ [-^del A cntr -\- i < k A -•int] ■ (1 — p){p{l — c))* 

i=0 

= [del A cntr < k A -•int] 

k—cntr 

+ [-•del A cntr < k A -i/nf] • V (I - p){pii - c)y 


= [del A cntr < k A -•int] 

+ [-•del A cntr < k A -•int] 

1 - (p(l _ c))“+i 

-i-Ti-i- ■ 

1 -p(l - c) 

where for the last equation we use a property of the finite 
geometric series, namely that for r 1 

k ^ — ' 

> ar'" = a - . 

1 — r 

k=0 

The result coincides with the intuition that in a state where 
del — false, the probability to fail to reach the goal -•int A 
cntr < fc is distributed geometrically with probability p{l — 
c). It is easy to verify that our educated guess is correct by 
checking that we indeed found a fixed point of $: 

^{[del A cntr < k A -•int] 

+ [-•del A cntr < k A -•int] 

1 _ (j}(l - ^\\k-cntr+l 

■( 1 -p) 7 n t -) 

1 -p(l - c) 

= [del A cntr < k A ^int] 

+ [-•del] ■ ^(1 — p) • [cntr < k A ^int] 

+ p{l — c) ( [del A cntr -f 1 < fc A ^int] 


+ [-•del A cntr + 1 < fc A -•int] 

1 _ 

•( 1 -rt r , 

1 -p(l - c) 

= [del A cntr < k A —•int] 

+ [-•del A cntr < k A -•int] ■ (1 — p) 

+ [—•del A cntr + 1 < A: A —•int] 

1 _ 7,(1 _ ^)k-ct,tr 

•(l-p)(p(l-c)) , 

1 -p(l - c) 

= [del A cntr < k A —•int] 

+ [-•del A cntr = k A -•int] ■ (1 — p) 

+ [-•del A cntr + 1 < k A -•int] ■ {1 — p) 

+ [-•del A cntr -f 1 < A: A -•int] 

1 _ 7,(1 _ A.k-cntr 

•(l-p)(p(l-c)) , 

1 -p(l - c) 

= [del A cntr < k A —•int] 

+ [-•del A cntr = k A -•int] ■ (1 — p) 

+ [-•del A cntr + 1 < A: A —•int] 

1 - p(l - c) + (p(l - c)) (1 - p(l - 

■ “ W-i- iT\ -^ 

1 -p(l - c) 

= [del A cntr < k A —•int] 

+ [-•del A cntr < k A -•int] 

1 _ Titt — 

■( 1 -p) f n t 
1 -p(l - c) 

Moreover this fixed point is the only fixed point and therefore 
the least. The justification is given by a where they show 
that loops which terminate almost surely have only one fixed 
point. We can now continue our calculation from (l2Tt . 

= wp[lnlt]([£/e( A cntr < k A -•int] 

+ [-•del A cntr < k A -•int] (24) 


= (l-c)(l-p) 


1 -p(l - c) 
1 - (p(l - c))'= 


(25) 


l-p(l-c) 

This concludes the calculation of the numerator of ([T]). Anal¬ 
ogously we find the denominator 

wlp[lnlt; loop; ohserve{cntr < A:)](l) 

= wl p [I n It] (wip [loop] ([cntr <fc])) 

= wlp[lnlt](z>'F. {[-•del] ■ wlp[body](F) 

+[del A cntr < A;])) 

= wlp[lnlt](sup {[-^del] ■ wlp[body](l) 

n 

+ [del A cntr < A;])") 

= wlp[lnlt]([£/el A cntr < k] 

+ [-^del A cntr < A;] • (1 - pk-counter+i^^ 

= . ( 26 ) 

The only difference is that here the supremum is taken with 
respect to the reversed order > in which 1 is the bottom 
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Fig. 5. The conditional probability that a message is intercepted as a function 
of k for fixed c and p. 

and 0 is the top element. However as mentioned earlier loop 
terminates with probability one and the notions of wp and wip 
coincide. We divide ( l25l l by ( |26] | to finally arrive at 


cwpfPl (\-imtercepted]) 



One can visualise it as a function in k by fixing the param¬ 
eters c and p. For example. Figure |5] shows the conditional 
probability plotted for various parameter settings. 


25 








